#DevOpSec - Killing the buzz? Hello! im a security consultant at - - PowerPoint PPT Presentation

devopsec killing the buzz hello
SMART_READER_LITE
LIVE PREVIEW

#DevOpSec - Killing the buzz? Hello! im a security consultant at - - PowerPoint PPT Presentation

Jan 12, 2023 125 likes •597 views

#DevOpSec - Killing the buzz? Hello! im a security consultant at NCC Group. you can find me: on twitter as @rossja pretty much everywhere else as algorythm A special note about this presentation! anytime i include a

slide-1
SLIDE 1

#DevOpSec - Killing the buzz?

slide-2
SLIDE 2

Hello!

i’m a security consultant at NCC Group. you can find me: ×

  • n twitter as @rossja

× pretty much everywhere else as algorythm

slide-3
SLIDE 3

A special note about this presentation!

anytime i include a “buzzword” in a slide... i will also include this:

slide-4
SLIDE 4

Agenda

setting the stage

× blue team × red team × fight!

tricks are for script kiddies

× techniques × tools

wrapup

slide-5
SLIDE 5
slide-6
SLIDE 6

devops

slide-7
SLIDE 7

stresses communications, collaboration, integration, automation and measurement

  • f cooperation between

software developers and other IT professionals

slide-8
SLIDE 8

devops goals?

  • 1. rapid development
  • 2. continuous deployment
  • 3. quick scaling
  • 4. instant rollback
slide-9
SLIDE 9

devops methods?

continuous (delivery | deployment | measurement)

×

  • rchestration & automation

× infrastructure as code × feedback loops from users/production

virtualization

× cloud × containers

revision control

× git (is anyone using anything else at this point?)

slide-10
SLIDE 10

so basically… devops wants to set you free!

slide-11
SLIDE 11
slide-12
SLIDE 12

Security

slide-13
SLIDE 13

the processes and methodologies involved with keeping information confidential, available, and assuring its integrity.

slide-14
SLIDE 14

security goals? to “serve and protect”

× hosts & data × the business × end-users

slide-15
SLIDE 15

“continuous annoyment”?

policy

× creation × enforcement

audit

× compliance testing × log management & review

simulation

× penetration test × phishing | social engineering

slide-16
SLIDE 16

so basically… security wants to bust your kneecaps!

slide-17
SLIDE 17

thus we get this.

slide-18
SLIDE 18

can we even?

slide-19
SLIDE 19

no more of that

slide-20
SLIDE 20

common conflicts

devops:

× everyone can access everything so things get done

infosec:

× least-privilege, separation of duties

devops:

× rapid, constant update - often in prod

infosec:

× strict review, isolated env

devops:

× we need to be able to do whatever we want...

infosec:

you can only do what we let you...

access control process flow culture / mindset

slide-21
SLIDE 21

ultimately different goals? dev - build cool things

  • ps - run cool things

sec - break all the things

nod to @codesoda
slide-22
SLIDE 22
slide-23
SLIDE 23

get over it & move

  • n
slide-24
SLIDE 24

“I wish developers would get security involved sooner”

  • every security pro ever
slide-25
SLIDE 25

“I wish security would stop getting in our way at the last minute”

  • every devops pro ever
slide-26
SLIDE 26
slide-27
SLIDE 27

devopsec is a thing!

slide-28
SLIDE 28

Also known as...

(look how friendly it is!) ---->>

slide-29
SLIDE 29

dev & ops & sec work together in all phases

× design × development × deployment × maintenance

image taken shamelessly from https://newrelic.com/devops/lifecycle
slide-30
SLIDE 30

how does this help security?

continuous security delivery

× use the pipeline to meet compliance & audit objectives × CD/CI lends itself well to rapid patching

continuous monitoring

× use feedback loops from prod to feed ‘attack-driven defense’

improves security awareness

× everyone is involved

slide-31
SLIDE 31

× inject code analysis tools into the dev process

× enforce fixes prior to deployment

× automate attacks against pre-prod code

× prevent vulnerable code from reaching prod

× implement “compliance as code” strategies

some suggestions:

slide-32
SLIDE 32

compliance as code? make security part of the pipeline

× setup requires time and effort × may involve learning new ways of working × it is worth it (really…)

slide-33
SLIDE 33

the devopsec cycle

slide-34
SLIDE 34 source repo binary repo production repo precommit continuous integration acceptance production
  • static analysis
  • security unit testing
  • alert on high-risk
changes
  • dynamic analysis
  • automated fuzzing
  • pen testing (oob)
  • red teaming
  • bug bounty
  • incident response
  • threat model
  • ide checks
  • peer review
slide-35
SLIDE 35
slide-36
SLIDE 36

× OWASP Proactive Controls (shift security left!) code peer review tools: × Gerrit × Phabricator × Atlassian Crucible

precommit tools

slide-37
SLIDE 37
slide-38
SLIDE 38

chef vault keywhiz lib/deps checkers: × OWASP Dependency Check × Retire.js × Bundler Audit × SourceClear (commercial)

commit tools

slide-39
SLIDE 39
slide-40
SLIDE 40

× hardening.io × dynamic scanning tools (nessus, etc.) × OWASP ZAP × Jenkins ZAP plugin × Mittn × Gauntlt × BDD-Security

acceptance tools

slide-41
SLIDE 41
slide-42
SLIDE 42

ansible | chef | puppet | salt | docker dynamic scanning tools (nessus, etc.) bugcrowd simian army aws inspector scout2

production tools

(NCC Group tool)

slide-43
SLIDE 43

next-gen waf Some interesting new devopsec tech is coming out in the WAF market (like SignalSciences) Chaim will be talking more about WAF stuff in his talk, up next.

slide-44
SLIDE 44

wrapup

slide-45
SLIDE 45

integrating the two requires culture shift there will be lots to work out it can be awesome when it’s done right look to industry leaders like AWS/Netflix devops + security is cool

slide-46
SLIDE 46

say devopsec one more time...