Why DevOps != the Wild West and How Embracing it Can Improve Security

Dan Cundiff (@pmotch)Target Corporation

A true story about saying NO to DevOps

Empathizing with the wild west POV

Us vs them&

The Local Optima problem

Dev incentive: speed of shippingOps incentive: availability

Ops thinks actions by Dev to↑ speed of shippingmeans availability ↓

Dev thinks actions by Ops to↑ availability

means speed of shipping ↓

Security thinks actions by Dev to↑ speed of shipping

means security ↓

Dev thinks actions by Security to↑ security

means speed of shipping ↓

“A system of local optimums is not an optimum system at all; it is a very

inefficient system.”

So how can we have both?

DevOps!

Dev + Ops + SecOps = DevOpsSec

Examples across CALMS spectrum:Culture

AutomationLean

MeasurementSharing

continuous integration+

code scanning

continuous integration+

vulnerability scanning

CI encourages smaller changes, making it easier to spot security issues

Social coding=

Who changed what, when, and why;git blame + pull request commentary

Social coding=

A pull request is a code review

Social coding=

PRs seeking +1s from security partners

Social coding=

Ability to ask questions on any line of code

Security documentation as code

Security team’s processes and tools need to be responsive to CI/CD

(e.g. FIM configurable continuously vs quarterly)

Give security access to your backlogs;tag commits with issue IDs

ChatOps, conversation-driven development, stitching in security events, security teams listening and talking, etc.

Dev and Ops sharing metrics/logs

Better coverage; melds silos of responsibility

Blameless post mortems, even for security

https://codeascraft.com/2012/05/22/blameless-postmortems/

Infrastructure-as-code=

fast testable mass patches

Infrastructure-as-code=

knowing if a security change broke the app

Infrastructure-as-code=

clear state of security config

We need APIs to security vendor products

http://devops.com/blogs/devops-a-wake-up-call-to-security-vendors/

Auditors like it.*

Reduced human involvement.

Share what you’re learning and doing inside and outside of the company.

Leaders, think Kaisen. Value all employee’s ideas across Dev and Sec/Ops.

Leaders, find the risk takers pioneering this, and protect them.

Pioneers, find your forward-thinking security partners and bring them along

with you.

We are hiring!

Thanks!

Dan Cundiff (@pmotch)Target Corporation