integrating devops and security
TRANSCRIPT
$whoami
• Independent consultant
• Ethical hacking
• Organising security
• Building applications
• Twitter: @ddccffvv
Security is the infrastructure team before DevOps
Does not like risks (change)
Tries to keep control
Bottleneck
“We found that blockages at the end of the project were much more
expensive than at the beginning - and InfoSec blockages were among the
worst”
Justin Arbuckle
“By having Infosec involved throughout the creation of any new capability, we were able to reduce our use of static checklists dramatically and rely more on using their expertise throughout the entire software
development process.”
Justin Arbuckle
Defect Tracking & Post MortemSecurity issues in work tracker:
Visibility ++
Priorities ++
Security issue -> post mortem
Rework - -
Team knowledge ++
Preventive security controlsProvide security libraries or services that every modern application or environment requires
Place them in a central location, easily accessible to anyone
Security in deployment pipelineAutomate as many security tests as possible so that they run alongside other tests in our deployment pipeline.
Security of software supply chain
“The typical organization uses 18,614 external software parts. Of those components being used, 7.5% had known vulnerabilities, with over 66% of those vulnerabilities being over two years old without having been resolved.
Sonatype 2015 State of the software supply chain report
Security and monitoring“Year after year, in the vast majority of
cardholder breaches, organisations detected the security breach months or
quarters after the breach occurred. Worse, the way the breach was detected was not an internal monitoring control, but was far
more likely someone outside of the organization”
Marcus Sachs (Verizon data breach researcher)
Security and monitoring• Set up central monitoring and make it
easy to use
• Application level
• Environment
Security and monitoring: etsy example
• abnormal process terminations
• internal server errors (500)
• database syntax error
• indication of sql injection attacks (UNION ALL)
“Nothing helps you understand how hostile the operating environment is than seeing your code being attacked in real-time.”
Nick Galbreath