help my security officer is allergic to devops
play

Help, my Security Officer is allergic to DevOps! DevOps and - PowerPoint PPT Presentation

Oct 26, 2022 •288 likes •708 views

Help, my Security Officer is allergic to DevOps! DevOps and Security, a match made in heaven or a forced marriage from hell? Pop quiz: What is the acronym for... Hyper Text H T Transfer T Protocol P Pop quiz: What is the acronym for...

  2. Help, my Security Officer is allergic to DevOps…! DevOps and Security, a match made in heaven or a forced marriage from hell?

  3. Pop quiz: What is the acronym for... Hyper Text H T Transfer T Protocol P

  4. Pop quiz: What is the acronym for... Internet I Mail Access M A Protocol P

  5. Pop quiz: What is the acronym for... Secure Hyper Text S H T Transfer T Protocol P

  6. Pop quiz: What is the acronym for... Secure Internet S I Mail Access M A Protocol P

  7. Pop quiz: What is the acronym for... Development & Dev Operations Op

  8. Pop quiz: What is the acronym for... Secure S Development & Dev Op Operations

  9. Image: Portrait taken by Arthur van Schendel > whoami » Frank Breedijk – Security Officer at Schuberg Philis – Author of Seccubus – Blogger for CupFigther.net Email: fbreedijk@schubergphilis.com Twitter: @Seccubus Blog: http://cupfighter.net Project: http://www.seccubus.com Company: http://www.schubergphilis.com

  10. Image: http://devopsreactions.tumblr.com/post/47939884113/blue-screen-after- patching-production-server Typical security officer reaction when you propose DevOp

  11. Image: Conjunction CC NC by lrargerich http://www.flickr.com/photos/ 29638083@N00/5707310636/ We need to understand where we come from… » DevOp » Security

  12. What is DevOp? » DevOp is a methodology where Development and Operations jointly work together to enable faster delivery of software or services to the production environment. » DevOp enables faster release cycles (up to and above ten releases a day) » With DevOp software can be automatically built, tested and deployed, ideally without the involvement operations resources » DevOp is often supported by Agile development processes

  13. Source: http://devopsreactions.tumblr.com/post/41776196984/first-test Faster delivery cycles… How is this going to affect my security posture?

  14. Image: @akaasjagers desktop by Frank Breedijk Developers do not have a great reputation with security

  15. Source: http://testerreactions.tumblr.com/post/50489315537/new- implementation-first-verification Faster delivery cycles… What security worries about » Poorly tested code… » How can it be mitigated? (aka Your answer) – Automated testing • Functionality • Security – Foritfy, VeraCode, WhiteHat Sentinel – Gauntlt (https://github.com/gauntlt) – BDD-Security (http:// www.continuumsecurity.net/bdd- intro.html) – Chaos Monkey (https://github.com/ Netflix/SimianArmy) – Seccubus (www.secubus.com)

  16. Source: http://devopsreactions.tumblr.com/post/46061575774/surviving-a-ddos- attack Faster delivery cycles… What security worries about » No more room for to patch » How can it be mitigated? (aka Your answer) – Patches become just another release – If we miss a patch window, there will be plenty more – We didn’t miss our single shot to get it right

  17. Source: http://en.wikipedia.org/wiki/Separation_of_duties Joint cooperation Automated deployment » What about separation of duties?

  18. Source: http://devopsreactions.tumblr.com/post/50566447542/another-pci-dss-audit Another PCI DSS audit

  19. Source: http://securityreactions.tumblr.com/post/31398166073/when-someone-says-their-company- is-secure-because-they When someone says their company is secure because they run PCI- DSS Scans

  20. Source: http://devopsreactions.tumblr.com/post/48511362536/i-dont-need-to-test-that-what-can- possibly-go-wrong Segregation of duties… What does security worry about? » Mistakes by incompetence » How can it be mitigated? (aka Your answer) – Culture • Make sure people know and respect their own limits – Transparency • Make sure all changes are visible to everyone • Peer review • Changes are small and can be understood – Not every part of the system is in scope of PCI DSS/SOX • Work with approvals for components in scope

  21. Source: https://twitter.com/NeedADebitCard Segregation of duties… What does security worry about? » Fraud – There may be actual financial losses – Failed PCI DSS/ SOX – Auditors want us to have this » How can it be mitigated? (aka Your answer) – Transparency • Make sure all changes are visible to everyone • Peer review • Changes are small and can be understood – Not every part of the system is in scope of PCI DSS/SOX • Work with approvals for components in scope

  22. Putting signatures on critical code… Critical code Security team New/changed does NOT match Build fails reviews critical code is checked Build ok! signature code and signs it in

  23. Source: http://doit.creighton.edu/faculty-staff-services/cab 10 or more releases a day…

  24. Source: http://dilbert.com/strips/comic/2006-08-17/ Security says NO…

  25. Source: http://securityreactions.tumblr.com/post/67562914945/java-source-code-review Change advisory board… Why security says noooo… » Are changes reviewed for security? » How can it be mitigated? (aka Your answer) – It will happen anyway… – There will be at least 50 changes a week • Security doesn’t have the capacity to review everything • Let us help you to deal with this • Ask for guidance on what needs a review • Implement signatures for critical functionality • Add automated security testing

  26. Change advisory board… Why security says noooo… » Changes must have a role back plan » How can it be mitigated? (aka Your answer) – Role back cannot exist • But fix forward does (multiple times a day) • Make sure security fixes can ‘jump the queue’

  27. Source: http://securityreactions.tumblr.com/post/64390760807/when-the-client-asks-me-to-verify- their-fix Change advisory board… Why security says noooo… » We are afraid of uncontrolled change » How can it be mitigated? (aka Your answer) » The CAB was our only point of influence – Enable security to become the immune system • Give insight into all changes • Allow security to test / verify changes • Whenever, whatever, however • Automate security tests » Pulling the Andon cord is not saying no… » Remind security that survival isn’t mandatory

  28. Image: Planning Poker, CC NC SA by 2nk - http://www.flickr.com/photos/ 53023503@N00/3947006171/ Agile development My objections » Product owner owns the backlog to delivery functionality to the user » Complexity of stories is measured in story points » You don’t get points for fixing defects Security » Is often a “non-functional” requirement » Making sure security is part of a story increases complexity (cost) of a story » Devs are not rewarded for fixing security issues » Result: Security seems to make you less agile

  29. Image: Post-It Fun, CC by zerojay - http://www.flickr.com/ photos/15969266@N04/3238168719/ Agile development Your answer » Security and product owner should cooperate » Non-functional requirements are requirements too » Dealing with NFRs from the start is more effective/efficient then dealing with them later » We will plan for unplanned work » Make sure the team is rewarded for reducing technical debt – There is security debt in technical debt

  30. Where Security needs to be fit into Agile Backlog grooming • Make sure there is room for Technical Debt, and (Emergency)patching Acceptance Sprint Planning • Functional • Make sure security is accounted for in you • (Non)functional planning (Automated)Testing Execution • Test for security too!!! • Ask security to be there for the developer/Ops guy

  31. Source: http://securityreactions.tumblr.com/post/59198452899/crypto- implementation-in-whistle-im Security is misguided too… » Security people are obsessed with controls/locks… » We don’t often spend time/money where it has the most effect on security

  32. Source: Managing Operational Threat by Joshua Corman for Carnegie Mellon University Where do we get the most bang for buck? » Specific security technologies – IDS, IPS – Next generation firewall – Data loss preventions Mitigating measures » What is happening now? – Who is attacking? – What are they doing Situational awareness » How well are your systems maintained? – Patch levels up to date? – Security holes patched? Craftsmanship in setup and – Passwords hashed and salted? operations – AV up to date? » How well can you defend your infrastructure? – Layers of defense? Defensible infrastructure – Access control in order? – Dual factor authentication? – Stepping stones?

  33. Source: Managing Operational Threat by Joshua Corman for Carnegie Mellon University What the industry talks about » Conference talks are centered around attack and technical measures » Most infosec spending is around mitigating measures, not defensible infrastructures of quality of software / infrastructure operation

  34. Example: using automation to build system images » At Schuberg Phils we automated OS builds » Wins for security – Systems are no longer like snowflakes – Every system that is installed at least starts secure – Insecure images break the build – Tested against the CIS benchmarks » Wins for Dev/Ops – Software is tested against secure builds – Works on my laptop becomes irrelevant – No need to wait 2 hours for all windows patches to install

  35. Image: http://devopsreactions.tumblr.com/post/49168088989/backup-and-dr-testing Rugged DevOpS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT

CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT JULIEN VEHENT MOZILLA SECURITY MOZILLA SECURITY

724 views • 49 slides
THE DEVOPS OPPORTUNITY: BALANCING SECURITY AND VELOCITY INSIGHTS FROM RED HAT/CYBERARK

THE DEVOPS OPPORTUNITY: BALANCING SECURITY AND VELOCITY INSIGHTS FROM RED HAT/CYBERARK

THE DEVOPS OPPORTUNITY: BALANCING SECURITY AND VELOCITY INSIGHTS FROM RED HAT/CYBERARK DEPLOYMENTS AT SCALE Joe Garcia, CISSP - Principal Engineer, DevOps Security joe.garcia@cyberark.com @Joe_Garcia David Federlein Joe Garcia Likes Coffee

565 views • 7 slides
When devops meets security Michael Brunton-Spall I'm from the Government and I'm here to

When devops meets security Michael Brunton-Spall I'm from the Government and I'm here to

When devops meets security Michael Brunton-Spall I'm from the Government and I'm here to help I'm from security and I'm here to help Government Digital Service Simpler, Clearer, Faster The state of information security in 2015

844 views • 70 slides
Privilege Security & Next-Generation Technology Morey J. Haber Chief Technology Officer

Privilege Security & Next-Generation Technology Morey J. Haber Chief Technology Officer

Privilege Security & Next-Generation Technology Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com Agenda The Next-Gen Threat Landscape o Infomatics, Breaches & the Attack Chain o Securing Cloud, DevOps & IoT o

450 views • 31 slides
A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove @garethr Docker This talk

A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove @garethr Docker This talk

A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove @garethr Docker This talk What to expect - A little history Infrastructure, APIs and devops - Parallels with security Security as policy management - Security tool

837 views • 60 slides
DevOps A History in Configuration Management About me Senior Information Security Architect @

DevOps A History in Configuration Management About me Senior Information Security Architect @

DevOps A History in Configuration Management About me Senior Information Security Architect @ Epigen Technology Security nerd & avid lock picker Auditor, Analyst, Engineer Organizer / Volunteer various conferences Tech policy & tech

352 views • 24 slides
So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security Officer Background Personal Starion Bank Arts Goals Highlight the typical responsibilities of an Information Security Officer from

778 views • 22 slides
DevOps & AWS Chris Econn Head of DevOps CorpInfo | AWS Premier Partner DevOps Bill of Rights

DevOps & AWS Chris Econn Head of DevOps CorpInfo | AWS Premier Partner DevOps Bill of Rights

DevOps & AWS Chris Econn Head of DevOps CorpInfo | AWS Premier Partner DevOps Bill of Rights How to use CI/CD to safeguard personal liberties within your organization LA AWS Users Meetup Group

614 views • 30 slides
Enabling Security Smarter Harnessing the Power of DevOps - Herding Cats for Beginners Cloud

Enabling Security Smarter Harnessing the Power of DevOps - Herding Cats for Beginners Cloud

Enabling Security Smarter Harnessing the Power of DevOps - Herding Cats for Beginners Cloud Security Alliance Congress - Madrid 2016 Richard Morrell, Principal Security Strategist - Fall 2016 Who Am I ? Richard Morrell Security Strategist /

392 views • 25 slides
Allergic Disorders in the UK An overview By Leigh George, Allergy UK In Introducing Allergy UK

Allergic Disorders in the UK An overview By Leigh George, Allergy UK In Introducing Allergy UK

Allergic Disorders in the UK An overview By Leigh George, Allergy UK In Introducing Allergy UK Who we are The leading patient charity for people living with all types of allergic disease Our mission is to improve the quality of life

481 views • 17 slides
Whos me? Zequi V azquez DevOps & Backend PhD student Hacking & Security

Whos me? Zequi V azquez DevOps & Backend PhD student Hacking & Security

Whos me? Zequi V azquez DevOps & Backend PhD student Hacking & Security RocknRoll (electric guitarist) Videogames Books Zequi V azquez @RabbitLair Drupal #ExtremeScaling Introduction 1 The Project 2 Problems and

465 views • 30 slides
Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by design Ecosystem integration Strong momentum Founded by Wireshark Cloud-native security Customer expansion mirrors co-creator and

247 views • 22 slides
About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor,

About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor,

About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor, Analyst, Engineer, Architect Tech policy Instructor @DC_TOOOL Conference Organizer / Volunteer apporima.com @apporima api_security I

204 views • 17 slides
DevOps: Are You Pushing Bugs to Your Clients Faster? Wayne Ariola Chief Strategy Officer -

DevOps: Are You Pushing Bugs to Your Clients Faster? Wayne Ariola Chief Strategy Officer -

DevOps: Are You Pushing Bugs to Your Clients Faster? Wayne Ariola Chief Strategy Officer - Parasoft 2015-10-21 1 Parasoft Proprietary and Confidential Re-Evaluate the Cost of Software Quality http://alm.parasoft.com/continuoustestingbook 2

758 views • 38 slides
Dev "Programming" Ops for DevOps Success Damon Edwards @damonedwards dev2ops.org

Dev "Programming" Ops for DevOps Success Damon Edwards @damonedwards dev2ops.org

Dev "Programming" Ops for DevOps Success Damon Edwards @damonedwards dev2ops.org DevOps Cafe Disclosure: DevOps (to me) Disclosure: DevOps (to me) DevOps is not a specific methodology or prescriptive steps only achievable

1.94k views • 154 slides
Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
Gradient Descent Michail Michailidis & Patrick Maiden Outline

Gradient Descent Michail Michailidis & Patrick Maiden Outline

Gradient Descent Michail Michailidis & Patrick Maiden Outline Mo4va4on Gradient Descent Algorithm Issues & Alterna4ves Stochas4c Gradient Descent

839 views • 29 slides
CDK The toolbox HAPPY for the Angular developer Christian Janz @c_janz Christian Janz

CDK The toolbox HAPPY for the Angular developer Christian Janz @c_janz Christian Janz

CDK The toolbox HAPPY for the Angular developer Christian Janz @c_janz Christian Janz Senior Software Architect Please mind the gap @c_janz /github.com/cjanz https:/ CDK? Enterprise Angular Apps UI Toolkits to the Rescue

684 views • 21 slides
Indie Marketing 101 not Todays Session Presenting for audience with varying levels of

Indie Marketing 101 not Todays Session Presenting for audience with varying levels of

Indie Marketing 101 not Todays Session Presenting for audience with varying levels of experience, skills The Basics Where, when, how to start The Marketing Mix Creating a Marketing Plan Examples Q & A Objectives

750 views • 41 slides
A physical analogue of the Schelling model c, 1 Alan Kirman, 1 , 2 , 3 Dejan Vinkovi 1

A physical analogue of the Schelling model c, 1 Alan Kirman, 1 , 2 , 3 Dejan Vinkovi 1

A physical analogue of the Schelling model c, 1 Alan Kirman, 1 , 2 , 3 Dejan Vinkovi 1 Institute for Advanced Study, Princeton, NJ 08540, USA 2 GREQAM, Ecol e des Hautes Etudes en Sciences Sociales, Institut Universitaire de France 3

409 views • 17 slides
Julia tutorial Introduction Some useful pointers Getting started Julia syntax

Julia tutorial Introduction Some useful pointers Getting started Julia syntax

CS/ECE/ISyE 524 Introduction to Optimization Spring 201718 Julia tutorial Introduction Some useful pointers Getting started Julia syntax Plots in Julia Learning JuMP Submitting a notebook Laurent Lessard

524 views • 16 slides
Todays Presenters Kendra Jones Childrens Librarian, Tacoma Public Library, WA Soraya

Todays Presenters Kendra Jones Childrens Librarian, Tacoma Public Library, WA Soraya

Todays Presenters Kendra Jones Childrens Librarian, Tacoma Public Library, WA Soraya Silverman Cory Eckert Youth Services Librarian, Librarian, Post Oak School, Summerlin Library, Las Vegas Houston, TX Clark-County Library District,

871 views • 15 slides
The Electromagnetic Spectrum Principles of Astrophysics & Cosmology - Professor Jodi Cooley

The Electromagnetic Spectrum Principles of Astrophysics & Cosmology - Professor Jodi Cooley

The Electromagnetic Spectrum Principles of Astrophysics & Cosmology - Professor Jodi Cooley Camera-Detector: Human Eye - The lens (camera) focuses light onto the retina (detector). - Aperture of a dark- adapted pupil is < 1 cm in

541 views • 17 slides
hypertext, multimedia finding things finding things navigating hyperspace and the

hypertext, multimedia finding things finding things navigating hyperspace and the

hypertext, multimedia and the world-wide web chapter 21 understanding hypertext understanding hypertext text escapes linearity, words and the page hypertext, multimedia finding things finding things navigating hyperspace

414 views • 10 slides

More recommend