Embed Size (px)
Citation preview
SecDevOpsDevSecOps
DevOpsWhich is it?
And what is DevOps?
And where does security fit?
In case you didn’t already know...
Why are we here?• IT is changing fast. Attackers are changing fast. Defenders don’t.• Security tools must change• Security processes must change• Security practitioners must change
What is DevOps?(No really – what is it? Discuss.)
What is DevOps?
What is DevOps?
SPEED
7
Words: what do they mean?
• ‘Full stack’
• Automation Engineer
• DevOps Engineer
• Agile
• Waterfall
• Lean
• Cloud
• DevOps
‘New’ IT
There is a new IT: what is it?
11
Agile/Lean Business
Cloud
DevOps
people andprocessestools
andproducts
results
Welcome to the new IT: key trends
Speed
10x faster to
prod
Agility
Integration
Automation
Developers
Convenience
Resilience
Going faster
requires
better
safety
Success
Project
success
increases by
14%-28%
12
NOTE: Success metrics from 2013 Ambysoft and 2015 Chaos Manifesto survey data, comparing projects
using Waterfall vs Agile. Agile project success improvements increase with project size.
Why DevOps?
13
DevOps CloudAgile
Business
Agile Business
DevOps Cloud
Where does security fit?
Pete Cheslock’s analogy
https://twitter.com/petecheslock/status/595617204273618944
Stefan Streichsbier’s solution
https://www.slideshare.net/StefanStreichsbier/application-security-in-an-agile-world-agile-singapore-2016
The new practitioner
The New Practitioner• Influence design, architecture
standards, processes• Automate tasks• Forensics• Security assessments• Identify gaps and recommend fixes• API integration• Data science • Routing, load balancing, nw protocols
The Traditional Practitioner• Monitoring security alerts• Manage network security• Manage endpoint security• IR/Forensics• Pentesting• Vulnerability Scanning• Policies/Standards• Compliance/Regs• Log management• DR/BCP and SecAware
The Security Practitioner: old versus new
The New Practitioner• Influence design, architecture
standards, processes• Automate tasks (code)• Forensics• Security assessments• Identify gaps and recommend fixes
(code)• API integration (code)• Data science (code)• Routing, load balancing, network
protocols
The Traditional Practitioner• Monitoring security alerts• Manage network security• Manage endpoint security• IR/Forensics• Pentesting• Vulnerability Scanning• Policies/Standards• Compliance/Regs• Log management• DR/BCP and SecAware
The Security Practitioner: old versus new
Understanding security’s role by understanding IT
Traditional approach to security:
• Security is always a secondary or enabling layer
• Security must have direct knowledge and experience with the underlying layer in order to be effective at protecting it or recommending feasible solutions
• Direct experience in core technical disciplines goes a long way in earning respect and cooperation
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
LayerOps
Understanding security’s role by understanding IT
Issues with the traditional approach:
• Few security teams can ever be ‘well-rounded’ enough
• Security team isn’t qualified to advise much of IT
• Adversarial/dysfunctional relationships common
• IT changes often; attackers adapt quickly
• Defenders and security tools adapt slowly
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
LayerOps
Security
Security’s changing roleAn example: going ‘cloud-first’
• Lower-level IT layers are outsourced
• Most security practitioner knowledge lies in these layers
• Infrastructure-heavy security skillsets lose value
• Concept of bi-modal IT further confuses things
• As IT changes, so must security
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
LayerOps
Security’s changing roleCloud and DevOps – an opportunity to redesign security:
• Smaller ‘well-rounded’ groups
• Dev, ops, infrastructure and security roles are shared
• Everyone working towards a clear, common goal
• Relationship between security and developers is crucial
• Security can’t impact delivery schedule
PhysicalOS
Layer
Network
Layer
Service
Desk
Dev, QA, Test;
Web/App Layer; Ops
Security
Questions
What should security’s future role be?
• Security is redistributed into IT for all operational tasks
• Dedicated security staff performs • high-level design, design/architectural input
• monitor changes in risk/attackers/landscape
• instruct/consult individual SMEs as needed
PhysicalOS
Layer
Network
Layer
Service
Desk
Dev, QA, Test;
Web/App Layer; Ops
Security
SME
Internal Security Team
Security
SME
Security
SME
Security
SME
New rule: if you own it, own it
“Whomever is responsible for an asset – be it data, infrastructure, code, or people – must secure it”
Why make asset owners responsible?
• No one knows and understands the opportunities, constraints and dependencies of the asset better
• Security becomes a bottleneck for performance, progress and often, even security
• Little to no time wasted on remediation conflict: what to fix, how to fix it, when and at what priority level
• Likely that fewer security issues will occur*
• Drives the cost of securing systems down, in terms of labor, efficiency and efficacy**
* I’ll explain later
** I’ll explain after that
Better Testing, Worse Quality?Study done in 2000 by Elizabeth Hendrickson
Reads like a short version of the
Phoenix Project
Better Testing, Worse Quality?Study done in 2000 by Elizabeth Hendrickson
• Creating an independent testing group can encourage counterproductive culture
• “Don’t do today what you can push off onto someone else’s plate”
• Document and address low hanging fruit
• Schedule time for developers to test and fix bugs
• To improve code quality, stop the problem at the source
• Everyone should understand what they’re building and why
• Get testers involved earlier in the process
• Bottleneck testing resources and developers are forced to ship higher quality code
http://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf
Better Testing, Worse Quality?Study done in 2000 by Elizabeth Hendrickson
• Could this apply to InfoSec?
• Surely not.
• In fact, it might be quite worse.
• We’ve convinced everyone not just that security is our job, but that we’re the only ones that can do it properly.
• What if they believed us?
