how to effect change in the epistemological wasteland of application security
TRANSCRIPT
![Page 1: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/1.jpg)
How to effect change in the Epistemological
Wasteland of Application Security
James Wickett
![Page 2: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/2.jpg)
![Page 3: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/3.jpg)
How to effect change
in the Epistemological
wasteland of
Application Security- @wickett
![Page 4: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/4.jpg)
@wickett #ruggeddevops
James Wickett
SR. ENGINEER, SIGNAL SCIENCES
AUSTIN, TX
HANDS-ON GAUNTLT BOOK
DEVOPS DAYS GLOBAL ORGANIZER
LASCON ORGANIZER
![Page 5: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/5.jpg)
Application Security Monitoring and Instrumentation
Application Security you can use!
An approach that integrates with devops organizations
Productizing the Etsy security approach
![Page 7: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/7.jpg)
@wickett #ruggeddevops
Software development has been a constant experiment in how we know anything
Application Security abdicated runtime responsibility and effectively abdicated development responsibility through incoherent philosophical approaches and fostering organizational silos
DevOps is here to stay, and security can actually be a part of it
Ops found a way to add value, security needs to find that same path
There are three ways we can add value: at development, at deploy, at runtime
Summary
![Page 8: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/8.jpg)
@wickett #ruggeddevops
A study in how we
know anything in
Application Security
![Page 9: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/9.jpg)
@wickett #ruggeddevops
Spoiler Alert: We don’t !
![Page 10: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/10.jpg)
@wickett #ruggeddevops
once upon a time…
![Page 11: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/11.jpg)
@wickett #ruggeddevops
Epistemological
Problem of Software
Development
![Page 12: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/12.jpg)
@wickett #ruggeddevops
We optimize for the
probable
![Page 13: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/13.jpg)
@wickett #ruggeddevops
Unit Testing
![Page 14: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/14.jpg)
@wickett #ruggeddevops
Integration Testing
![Page 15: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/15.jpg)
@wickett #ruggeddevops
Happy Path Engineering
![Page 16: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/16.jpg)
@wickett #ruggeddevops
We also optimize
for the possible
![Page 17: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/17.jpg)
@wickett #ruggeddevops
Over Engineering
![Page 18: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/18.jpg)
@wickett #ruggeddevops
The scaling algo
that never got used…
![Page 19: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/19.jpg)
@wickett #ruggeddevops
There is too much to
choose from in the
realm of possible
![Page 20: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/20.jpg)
@wickett #ruggeddevops
Actually, we optimize for
the perceived probable
![Page 21: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/21.jpg)
@wickett #ruggeddevops
How do we know
what to create?
![Page 22: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/22.jpg)
@wickett #ruggeddevops
This is the problem
![Page 23: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/23.jpg)
@wickett #ruggeddevops
Epistemological
Problem of Software
Development
![Page 24: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/24.jpg)
@wickett #ruggeddevops
We gather data and
rhetoric to support
our theories
![Page 25: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/25.jpg)
@wickett #ruggeddevops
There are 3 major
arcs in the history of
Software Development
![Page 26: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/26.jpg)
@wickett #ruggeddevops
First Arc: Agile
![Page 27: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/27.jpg)
@wickett #ruggeddevops
Agile avoids the problem
![Page 28: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/28.jpg)
@wickett #ruggeddevops
Agile reminds that
we dont know what
we are building
![Page 29: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/29.jpg)
@wickett #ruggeddevops
![Page 30: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/30.jpg)
@wickett #ruggeddevops
Behavior Driven
Development
![Page 31: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/31.jpg)
@wickett #ruggeddevops
BDD = Agile + feedback
![Page 32: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/32.jpg)
@wickett #ruggeddevops
Behavior Driven Development is a second-generation, outside–in, pull-
based, multiple-stakeholder, multiple-scale, high-automation, agile
methodology. It describes a cycle of interactions with well-defined
outputs, resulting in the delivery of working, tested software that matters.
Dan North , 2009
![Page 33: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/33.jpg)
@wickett #ruggeddevops
Amplify Feedback
Loop
![Page 34: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/34.jpg)
@wickett #ruggeddevops
Agile emphasizes
feedback to developers
from their overlords and
sometimes even customers
![Page 35: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/35.jpg)
@wickett #ruggeddevops
TLDR;
Rapid Iterations Win
![Page 36: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/36.jpg)
@wickett #ruggeddevops
Agile is our guiding
Light
![Page 37: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/37.jpg)
@wickett #ruggeddevops
The world has
changed since Agile
![Page 38: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/38.jpg)
@wickett #ruggeddevops
We don’t sell
CD’s anymore
![Page 39: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/39.jpg)
@wickett #ruggeddevops
Software as a Service
![Page 40: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/40.jpg)
@wickett #ruggeddevops
The last fifteen years have
brought a complete change in
our delivery cadence,
distribution mechanisms and
revenue models
![Page 41: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/41.jpg)
@wickett #ruggeddevops
Second Arc: DevOps
![Page 42: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/42.jpg)
@wickett #ruggeddevops
DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM
ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK
![Page 43: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/43.jpg)
@wickett #ruggeddevops
DEVOPS
![Page 44: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/44.jpg)
@wickett #ruggeddevops
Agile Infrastructure
![Page 45: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/45.jpg)
@wickett #ruggeddevops
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
![Page 46: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/46.jpg)
@wickett #ruggeddevops
Less WIP
Less technical debt
![Page 47: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/47.jpg)
@wickett #ruggeddevops
Customers actually using
the feature while the
developer is working on it
![Page 48: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/48.jpg)
@wickett #ruggeddevops
Great side effect:
Produces Happy Developers
![Page 49: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/49.jpg)
@wickett #ruggeddevops
![Page 50: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/50.jpg)
@wickett #ruggeddevops
![Page 51: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/51.jpg)
@wickett #ruggeddevops
Devops realized that ops
doesn’t know what devs
know and vice versa
![Page 52: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/52.jpg)
@wickett #ruggeddevops
Dev : Ops 10 : 1
![Page 53: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/53.jpg)
@wickett #ruggeddevops
DevOps is an Epistemological
breakthrough joining people
around a common problem
![Page 54: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/54.jpg)
@wickett #ruggeddevops
Culture is the most
important aspect to devops
succeeding in the enterprise
- Patrick DeBois
![Page 55: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/55.jpg)
@wickett #ruggeddevops
Culture is shaped in
part by values
![Page 56: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/56.jpg)
@wickett #ruggeddevops
![Page 57: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/57.jpg)
@wickett #ruggeddevops
Mutual Understanding
Shared Language
Shared Views
Collaborative Tooling
![Page 58: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/58.jpg)
@wickett #ruggeddevops
DEVOPS IS THE INEVITABLE RESULT OF NEEDING TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED
COMPUTING AND CLOUD] ENVIRONMENT. - TOM LIMONCELLI
![Page 59: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/59.jpg)
@wickett #ruggeddevops
https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf
![Page 60: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/60.jpg)
@wickett #ruggeddevops
TLDR;
High-performing IT
organizations experience 60X
fewer failures and recover from
failure 168X faster than their
lower-performing peers. They
also deploy 30X more frequently
with 200X shorter lead times.
![Page 61: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/61.jpg)
@wickett #ruggeddevops
Culture Automation
Measurement Sharing
- @damonedwards, @botchagalupe
![Page 62: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/62.jpg)
@wickett #ruggeddevops
Devops gone wrong
![Page 63: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/63.jpg)
@wickett #ruggeddevops
“THAT THE WORD #DEVOPS GETS REDUCED TO TECHNOLOGY IS A MANIFESTATION OF HOW BADLY WE NEED A CULTURAL SHIFT”
- @PATRICKDEBOIShttp://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops
![Page 64: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/64.jpg)
@wickett #ruggeddevops
Third Arc: Continuous
Delivery
![Page 65: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/65.jpg)
@wickett #ruggeddevops
Continuous Delivery is not
merely how often you
deliver but how little
you can deliver at a time
![Page 66: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/66.jpg)
@wickett #ruggeddevops
Delivery Pipelines are rad!
![Page 67: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/67.jpg)
@wickett #ruggeddevops
Batch Size of 1
![Page 68: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/68.jpg)
@wickett #ruggeddevops
Separation of Duties
Considered Harmful
![Page 69: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/69.jpg)
@wickett #ruggeddevops
Give power to the
Developers to deploy
![Page 70: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/70.jpg)
@wickett #ruggeddevops
Reduce Code Latency
Increase Code Velocity
![Page 71: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/71.jpg)
@wickett #ruggeddevops
3 Arcs: Agile DevOps
Continuous Delivery
![Page 72: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/72.jpg)
@wickett #ruggeddevops
The next Arc: Security Rugged
![Page 73: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/73.jpg)
@wickett #ruggeddevops
“…Those stupid developers”
- Security person
![Page 74: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/74.jpg)
@wickett #ruggeddevops
“Security prefers a system
powered off and unplugged”
- Developer
![Page 75: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/75.jpg)
@wickett #ruggeddevops
Cultural Unrest
with security in
most organizations
![Page 76: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/76.jpg)
@wickett #ruggeddevops
Compliance Driven Culture
![Page 77: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/77.jpg)
@wickett #ruggeddevops
“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED
INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
![Page 78: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/78.jpg)
@wickett #ruggeddevops
Security is where ops
was 5 years ago…
![Page 79: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/79.jpg)
@wickett #ruggeddevops
Dev : Ops : Sec 100 : 10 : 1
![Page 80: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/80.jpg)
@wickett #ruggeddevops
Understaffing means
no one thinks security
helps the business win
![Page 81: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/81.jpg)
@wickett #ruggeddevops
DevOps changed that
for Ops, security can
change too
![Page 82: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/82.jpg)
@wickett #ruggeddevops
Netflix demonstrated
that people care about resiliency
![Page 83: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/83.jpg)
@wickett #ruggeddevops
Innately, we all care
![Page 84: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/84.jpg)
@wickett #ruggeddevops
Rugged Software Movement
![Page 85: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/85.jpg)
@wickett #ruggeddevops
#ruggeddevops
![Page 86: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/86.jpg)
@wickett #ruggeddevops
https://vimeo.com/54250716
![Page 87: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/87.jpg)
@wickett #ruggeddevops
http://www.youtube.com/watch?v=jQblKuMuS0Y
![Page 88: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/88.jpg)
@wickett #ruggeddevops
Security’s way forward is to
help developers and help
operations
![Page 89: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/89.jpg)
@wickett #ruggeddevops
Start there
![Page 90: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/90.jpg)
@wickett #ruggeddevops
Let’s review Security’s
approach thus far
![Page 91: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/91.jpg)
@wickett #ruggeddevops
BadIdea #1
Applications can’t be
defended—Web App
Firewalls Suck!
lets do developer training
![Page 92: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/92.jpg)
@wickett #ruggeddevops
![Page 93: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/93.jpg)
@wickett #ruggeddevops
![Page 94: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/94.jpg)
@wickett #ruggeddevops
Awareness campaign
OWASP Top Ten
![Page 95: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/95.jpg)
@wickett #ruggeddevops
We abandoned knowing
anything useful about
the Runtime
![Page 96: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/96.jpg)
@wickett #ruggeddevops
Instead Add Defense
based on behaviors
![Page 97: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/97.jpg)
@wickett #ruggeddevops
BadIdea #2
Developers can’t figure it out.
lets scan for vulnerabilities
instead
![Page 98: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/98.jpg)
@wickett #ruggeddevops
“here is a 400 page PDF of
our findings to prove your
developers don't get it!”
- The Pen tester
![Page 99: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/99.jpg)
@wickett #ruggeddevops
Even with the emphasis
on appsec training, in
practice we made it a
dark art
![Page 100: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/100.jpg)
@wickett #ruggeddevops
Integrated rugged
testing should sit
inside the pipeline
![Page 101: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/101.jpg)
@wickett #ruggeddevops
BadIdea #3
With the new alignment
to vulnerability scanning,
there is a tendency to Fix
the Low-Hanging Fruit
![Page 102: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/102.jpg)
@wickett #ruggeddevops
![Page 103: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/103.jpg)
@wickett #ruggeddevops
we still don't know
who is attacking us
![Page 104: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/104.jpg)
@wickett #ruggeddevops
We still don't
actually know what
they are attacking
![Page 105: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/105.jpg)
@wickett #ruggeddevops
Real Threats go Unknown
so Developers fix what the
automated tooling detected
at a certain point in time
![Page 106: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/106.jpg)
@wickett #ruggeddevops
Add Application
Security Telemetry
![Page 107: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/107.jpg)
@wickett #ruggeddevops
badidea #4
Put in tooling that no
one outside of security
can understand
![Page 108: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/108.jpg)
@wickett #ruggeddevops
usually in the name
of compliance
![Page 109: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/109.jpg)
@wickett #ruggeddevops
“Get a Web App Firewall
dude!” - PCI-DSS Req 6.6
![Page 110: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/110.jpg)
@wickett #ruggeddevops
![Page 111: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/111.jpg)
@wickett #ruggeddevops
Choose your own
adventure…
![Page 112: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/112.jpg)
@wickett #ruggeddevops
smallest possible
solution you can
consider a WAF…
![Page 113: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/113.jpg)
@wickett #ruggeddevops
Our CDN added
ModSecurity Ruleset
Huzzah!
![Page 114: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/114.jpg)
@wickett #ruggeddevops
An appliance that
blocks all the things
![Page 115: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/115.jpg)
@wickett #ruggeddevops
And now you wonder
why no one eats lunch
with you anymore
![Page 116: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/116.jpg)
@wickett #ruggeddevops
“every aspect of managing WAFs is an ongoing process. This is the antithesis
of set it and forget it technology. That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required to get and keep
the WAF running productively.” - a whitepaper from a WAF vendor
![Page 117: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/117.jpg)
@wickett #ruggeddevops
![Page 118: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/118.jpg)
@wickett #ruggeddevops
Ok, Security has to change…
How do we add value
already?
![Page 119: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/119.jpg)
@wickett #ruggeddevops
Two ways!
![Page 120: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/120.jpg)
@wickett #ruggeddevops
Add value to Devs
Add value to ops
![Page 121: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/121.jpg)
@wickett #ruggeddevops
Pray that someone notices
![Page 122: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/122.jpg)
@wickett #ruggeddevops
![Page 123: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/123.jpg)
@wickett #ruggeddevops
Pro-Tip #1
Automate security tooling
to run in testing
![Page 124: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/124.jpg)
@wickett #ruggeddevops
Start with Adding just one
test for XSS on a few pages
in your app
![Page 125: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/125.jpg)
@wickett #ruggeddevops
![Page 126: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/126.jpg)
@wickett #ruggeddevops
gauntlt automates
security tools
![Page 127: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/127.jpg)
@wickett #ruggeddevops
GAUNTLTOpen source, MIT License
Gauntlt comes with pre-canned steps that hook security testing tools
Gauntlt does not install tools
Gauntlt wants to be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr
![Page 128: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/128.jpg)
@wickett #ruggeddevops
![Page 129: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/129.jpg)
@wickett #ruggeddevops
![Page 130: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/130.jpg)
@wickett #ruggeddevops
![Page 131: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/131.jpg)
@wickett #ruggeddevops
![Page 132: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/132.jpg)
@wickett #ruggeddevops
![Page 133: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/133.jpg)
@wickett #ruggeddevops
here’s an XSS attack
you can use
![Page 134: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/134.jpg)
@wickett #ruggeddevops
@slow @finalFeature: Look for cross site scripting (xss) using arachni against a URL
Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni --modules=xss --depth=1 --link-count=10 --auto-redundant=2 <url> """ Then the output should contain "0 issues were detected."
![Page 135: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/135.jpg)
@wickett #ruggeddevops
http://theagileadmin.com/2015/06/09/pragmatic-security-and-rugged-devops/
![Page 137: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/137.jpg)
@wickett #ruggeddevops
Email [email protected] before the end of the day
for a review copy
Hands-on Gauntlt Book
for Goto Attendees
![Page 138: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/138.jpg)
@wickett #ruggeddevops
Pro-tip #2
Put security testing in
your continuous
integration system
![Page 139: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/139.jpg)
@wickett #ruggeddevops
![Page 140: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/140.jpg)
@wickett #ruggeddevops
![Page 141: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/141.jpg)
@wickett #ruggeddevops
https://speakerdeck.com/garethr/battle-tested-code-without-the-battle
![Page 142: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/142.jpg)
@wickett #ruggeddevops
Pro-Tip #3
Add Application Security
telemetry to devs and ops
![Page 143: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/143.jpg)
@wickett #ruggeddevops
Convert App Security
Logs into metrics in the
systems dev and ops use
StatsD
![Page 144: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/144.jpg)
@wickett #ruggeddevops
RunTime Correlation
between biz, ops, dev, sec
![Page 145: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/145.jpg)
@wickett #ruggeddevops
SQLi Attempts + HTTP 500’s
or
login spikes + transaction
decrease
![Page 146: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/146.jpg)
@wickett #ruggeddevops
Runtime
Instrumentation for
Application Security
![Page 147: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/147.jpg)
@wickett #ruggeddevops
Pro-Tip #4
Get hugs from the
auditors and add
Hardening and Audit using
config management
![Page 148: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/148.jpg)
@wickett #ruggeddevops
Open Source
Hardening Framework
chef/puppet/ansible
http://hardening.io/
![Page 149: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/149.jpg)
@wickett #ruggeddevops
Run Nightly Audits of
your Hardening using
Config Management
(Chef audit mode)
https://www.chef.io/blog/2015/04/09/chef-audit-mode-cis-benchmarks/
![Page 150: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/150.jpg)
@wickett #ruggeddevops
OS and Config
Management
![Page 151: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/151.jpg)
@wickett #ruggeddevops
reverse the trend
Add Value to Devs
Add Value to Ops
![Page 152: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/152.jpg)
@wickett #ruggeddevops
Software development has been a constant experiment in how we know anything
Application Security abdicated runtime responsibility and effectively abdicated development responsibility through incoherent philosophical approaches and fostering organizational silos
DevOps is here to stay, and security can actually be a part of it
Ops found a way to add value, security needs to find that same path
There are three ways we can add value: at development, at deploy, at runtime
Summary
![Page 153: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/153.jpg)
![Page 154: How to Effect Change in the Epistemological Wasteland of Application Security](https://reader030.vdocuments.us/reader030/viewer/2022020301/587b98ef1a28ab4e4f8b6fa1/html5/thumbnails/154.jpg)
Thanks !