Integrating DevOps and Security

$whoami

• Independent consultant

• Ethical hacking

• Organising security

• Building applications

• Twitter: @ddccffvv

Goals

Improving security

Bringing dev/ops/QA/… and security together

Making your life better

Part 1Where are we now?

zuckerberg slide

IT is changing

We’re only getting started

Increasingly dependent

Rising importance

of security

Part 2Bringing everyone together

zuckerberg slide

zuckerberg slide

Uncertainty is a threat

Rugged DevOps

security

Security is the infrastructure team before DevOps

Does not like risks (change)

Tries to keep control

Bottleneck

How did we solve this before?

1) Empathy2) Automate

3) Feedback loops

“We found that blockages at the end of the project were much more

expensive than at the beginning - and InfoSec blockages were among the

worst”

Justin Arbuckle

“By having Infosec involved throughout the creation of any new capability, we were able to reduce our use of static checklists dramatically and rely more on using their expertise throughout the entire software

development process.”

Justin Arbuckle

Message to infosec people:

Don’t (only) say no!

Say: We could do it this way…

Part 3Tactics (to scale)

1) Empathy2) Automate

3) Feedback loops

Defect Tracking & Post MortemSecurity issues in work tracker:

Visibility ++

Priorities ++

Security issue -> post mortem

Rework - -

Team knowledge ++

Preventive security controlsProvide security libraries or services that every modern application or environment requires

Place them in a central location, easily accessible to anyone

Preventive security controls• libraries/configs

• secret management

• OS packages/builds

Security in deployment pipelineAutomate as many security tests as possible so that they run alongside other tests in our deployment pipeline.

Security in deployment pipeline• Static scanning

• Dynamic scanning

• Sad path

A word about false positives

versus

Security of software supply chain

“The typical organization uses 18,614 external software parts. Of those components being used, 7.5% had known vulnerabilities, with over 66% of those vulnerabilities being over two years old without having been resolved.

Sonatype 2015 State of the software supply chain report

Security and monitoring

How do you know if you’ve been compromised?

Security and monitoring“Year after year, in the vast majority of

cardholder breaches, organisations detected the security breach months or

quarters after the breach occurred. Worse, the way the breach was detected was not an internal monitoring control, but was far

more likely someone outside of the organization”

Marcus Sachs (Verizon data breach researcher)

Security and monitoring• Set up central monitoring and make it

easy to use

• Application level

• Environment

Security and monitoring: etsy example

• abnormal process terminations

• internal server errors (500)

• database syntax error

• indication of sql injection attacks (UNION ALL)

“Nothing helps you understand how hostile the operating environment is than seeing your code being attacked in real-time.”

Nick Galbreath

1) Empathy2) Automate

3) Feedback loops

Questions and discussion