Upload
freek-kauffmann
View
202
Download
0
Tags:
Embed Size (px)
DESCRIPTION
How to create a constructive force field between DevOps engineers and hackers? NOTE: Slide 4 ('Vision on IT Security') has been altered in hindsight. For questions, please contact me directly: +316 457 61 857
Citation preview
Lazy hackers who think out of the box, but stay in the box...
Freek KauffmannSecurity Consultant ITQ S-Unit
Lazy hackers who think out of the box, but stay
in the box...
Freek Kauffmann
• Nerd• DevOps Engineer• Security Consultant• Business Developer• Senior Coach• Business Unit Manager
Defense Offence
Bolt on Integrated
Role Team
Awareness DNA
Vision on IT security
”Hackers” defined
• There are many definitions.• “Hacking” defined for this
presentation:
”Technical security specialists who are hired to apply their offensive mind-set to improve digital resilience.”
Hackers & DevOps Engineers:similarAnimals of the same type:• Highly skilled• Highly creative• Allergic to doing the same thing trice,
hence, lazy.• Love complex problems
Testing
User acceptance
Development
Production
50% 30% 15% 5%
Intrinsically improving security
Testing
User acceptance
Development
Production
Non-stop pentesting (infrastructure & application)
50% 30% 15% 5%
Intrinsically improving security
Testing
User acceptan
ce
Development
Production
Non-stop pentesting (infrastructure & application)
50% 10% 9% 1% 30%
Intrinsically improving security
Testing
User acceptan
ce
Development
Production
Non-stop pentesting (infrastructure & application)
50% 10% 9% 1%
Code review
Architecture review
DevOps
30%
Non-stop Offensive Security
Monitoring• Adding new tests continuously.• Non-stop verification of previous
findings.• Executing security tests
automatically at every commit.• Integrated in continuous delivery
tooling & processes.
Less time spent on:
• Pre-sales from external suppliers• Initiating projects• Infrastructure pentesting• Doing (boring) stuff manually
Allows for:
• More time for fun creative work• More time for application pentesting• More time for automating security
testing
• Saving cost• Lowering operational risk
Hackers & DevOps Engineers:
Similar, yet different
DevOps Team Red Team
Red Team
• Build to break• Independent• Hack to destroy• Specialists (security)• Outward focus (monitoring trends)• Want root
DevOps Team
• Build to last• Interdependent• Hack to create• Generalists • Inward focus (getting changes to
production)• Are root
Think inside the box…
DevOps engineer
Think out of the box…
DevOps engineer
Out of the box thinking
Think out of the box…
DevOps engineer
Out of the box thinking
Think out of the box…
DevOps engineer
Out of the box thinking
Think out of the box…
DevOps engineer
Out of the box thinking
Back in the box
But stay in the box!
• Technology– Using same tooling
• Processes– Seamlessly joining in existing processes
• People– Close cooperation between builders &
breakers
Questions?
Freek KauffmannITQ S-Unit
+316 457 61 857