how to e ff ect change in the epistemological wasteland
play

How to e ff ect change in the Epistemological Wasteland of - PowerPoint PPT Presentation

Jul 22, 2023 •676 likes •2.23k views

How to e ff ect change in the Epistemological Wasteland of Application Security James Wickett How to effect change in the Epistemological wasteland of Application Security - @wickett James Wickett S R . E NGINEER , S IGNAL S CIENCES A

  1. How to e ff ect change in the Epistemological Wasteland of Application Security James Wickett

  3. How to effect change in the Epistemological wasteland of Application Security - @wickett

  4. James Wickett S R . E NGINEER , S IGNAL S CIENCES A USTIN , TX H ANDS - ON G AUNTLT B OOK D EV O PS D AYS G LOBAL O RGANIZER LASCON O RGANIZER @wickett #ruggeddevops

  5. Application Security Monitoring and Instrumentation Application Security you can use! An approach that integrates with devops organizations Productizing the Etsy security approach

  6. signalsciences.com

  7. Summary Software development has been a constant experiment in how we know anything Application Security abdicated runtime responsibility and effectively abdicated development responsibility through incoherent philosophical approaches and fostering organizational silos DevOps is here to stay, and security can actually be a part of it Ops found a way to add value, security needs to find that same path There are three ways we can add value: at development, at deploy, at runtime @wickett #ruggeddevops

  8. A study in how we know anything in Application Security @wickett #ruggeddevops

  9. Spoiler Alert: We don’t ! @wickett #ruggeddevops

  10. once upon a time… @wickett #ruggeddevops

  11. Epistemological Problem of Software Development @wickett #ruggeddevops

  12. We optimize for the probable @wickett #ruggeddevops

  13. Unit Testing @wickett #ruggeddevops

  14. Integration Testing @wickett #ruggeddevops

  15. Happy Path Engineering @wickett #ruggeddevops

  16. We also optimize for the possible @wickett #ruggeddevops

  17. Over Engineering @wickett #ruggeddevops

  18. The scaling algo that never got used… @wickett #ruggeddevops

  19. There is too much to choose from in the realm of possible @wickett #ruggeddevops

  20. Actually, we optimize for the perceived probable @wickett #ruggeddevops

  21. How do we know what to create? @wickett #ruggeddevops

  22. This is the problem @wickett #ruggeddevops

  23. Epistemological Problem of Software Development @wickett #ruggeddevops

  24. We gather data and rhetoric to support our theories @wickett #ruggeddevops

  25. There are 3 major arcs in the history of Software Development @wickett #ruggeddevops

  26. First Arc: Agile @wickett #ruggeddevops

  27. Agile avoids the problem @wickett #ruggeddevops

  28. Agile reminds that we dont know what we are building @wickett #ruggeddevops

  29. @wickett #ruggeddevops

  30. Behavior Driven Development @wickett #ruggeddevops

  31. BDD = Agile + feedback @wickett #ruggeddevops

  32. Behavior Driven Development is a second-generation, outside–in, pull- based, multiple-stakeholder, multiple- scale, high-automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters. Dan North , 2009 @wickett #ruggeddevops

  33. Amplify Feedback Loop @wickett #ruggeddevops

  34. Agile emphasizes feedback to developers from their overlords and sometimes even customers @wickett #ruggeddevops

  35. TLDR; Rapid Iterations Win @wickett #ruggeddevops

  36. Agile is our guiding Light @wickett #ruggeddevops

  37. The world has changed since Agile @wickett #ruggeddevops

  38. We don’t sell CD’s anymore @wickett #ruggeddevops

  39. Software as a Service @wickett #ruggeddevops

  40. The last fifteen years have brought a complete change in our delivery cadence, distribution mechanisms and revenue models @wickett #ruggeddevops

  41. Second Arc: DevOps @wickett #ruggeddevops

  42. DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK @wickett #ruggeddevops

  43. DEVOPS @wickett #ruggeddevops

  44. Agile Infrastructure @wickett #ruggeddevops

  45. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr @wickett #ruggeddevops

  46. Less WIP Less technical debt @wickett #ruggeddevops

  47. Customers actually using the feature while the developer is working on it @wickett #ruggeddevops

  48. Great side effect: Produces Happy Developers @wickett #ruggeddevops

  49. @wickett #ruggeddevops

  50. @wickett #ruggeddevops

  51. Devops realized that ops doesn’t know what devs know and vice versa @wickett #ruggeddevops

  52. Dev : Ops 10 : 1 @wickett #ruggeddevops

  53. DevOps is an Epistemological breakthrough joining people around a common problem @wickett #ruggeddevops

  54. Culture is the most important aspect to devops succeeding in the enterprise - Patrick DeBois @wickett #ruggeddevops

  55. Culture is shaped in part by values @wickett #ruggeddevops

  56. @wickett #ruggeddevops

  57. Mutual Understanding Shared Language Shared Views Collaborative Tooling @wickett #ruggeddevops

  58. DEVOPS IS THE INEVITABLE RESULT OF NEEDING TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED COMPUTING AND CLOUD] ENVIRONMENT. - TOM LIMONCELLI @wickett #ruggeddevops

  59. https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf @wickett #ruggeddevops

  60. TLDR; High-performing IT organizations experience 60X fewer failures and recover from failure 168X faster than their lower-performing peers. They also deploy 30X more frequently with 200X shorter lead times. @wickett #ruggeddevops

  61. Culture Automation Measurement Sharing e p u l a g a h c t o b @ s , d r a w d e n o m a d @ - @wickett #ruggeddevops

  62. Devops gone wrong @wickett #ruggeddevops

  63. “THAT THE WORD #DEVOPS GETS REDUCED TO TECHNOLOGY IS A MANIFESTATION OF HOW BADLY WE NEED A CULTURAL SHIFT” - @PATRICKDEBOIS http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops @wickett #ruggeddevops

  64. Third Arc: Continuous Delivery @wickett #ruggeddevops

  65. Continuous Delivery is not merely how often you deliver but how little you can deliver at a time @wickett #ruggeddevops

  66. Delivery Pipelines are rad! @wickett #ruggeddevops

  67. Batch Size of 1 @wickett #ruggeddevops

  68. Separation of Duties Considered Harmful @wickett #ruggeddevops

  69. Give power to the Developers to deploy @wickett #ruggeddevops

  70. Reduce Code Latency Increase Code Velocity @wickett #ruggeddevops

  71. 3 Arcs: Agile DevOps Continuous Delivery @wickett #ruggeddevops

  72. The next Arc: Security Rugged @wickett #ruggeddevops

  73. “…Those stupid developers” - Security person @wickett #ruggeddevops

  74. “Security prefers a system powered off and unplugged” - Developer @wickett #ruggeddevops

  75. Cultural Unrest with security in most organizations @wickett #ruggeddevops

  76. Compliance Driven Culture @wickett #ruggeddevops

  77. “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” @wickett #ruggeddevops

  78. Security is where ops was 5 years ago… @wickett #ruggeddevops

  79. Dev : Ops : Sec 100 : 10 : 1 @wickett #ruggeddevops

  80. Understaffing means no one thinks security helps the business win @wickett #ruggeddevops

  81. DevOps changed that for Ops, security can change too @wickett #ruggeddevops

  82. Netflix demonstrated that people care about resiliency @wickett #ruggeddevops

  83. Innately, we all care @wickett #ruggeddevops

  84. Rugged Software Movement @wickett #ruggeddevops

  85. #ruggeddevops @wickett #ruggeddevops

  86. https://vimeo.com/54250716 @wickett #ruggeddevops

  87. http://www.youtube.com/watch?v=jQblKuMuS0Y @wickett #ruggeddevops

  88. Security’s way forward is to help developers and help operations @wickett #ruggeddevops

  89. Start there @wickett #ruggeddevops

  90. Let’s review Security’s approach thus far @wickett #ruggeddevops

  91. BadIdea #1 Applications can’t be defended—Web App Firewalls Suck! lets do developer training @wickett #ruggeddevops

  92. @wickett #ruggeddevops

  93. @wickett #ruggeddevops

  94. Awareness campaign OWASP Top Ten @wickett #ruggeddevops

  95. We abandoned knowing anything useful about the Runtime @wickett #ruggeddevops

  96. Instead Add Defense based on behaviors @wickett #ruggeddevops

  97. BadIdea #2 Developers can’t figure it out. lets scan for vulnerabilities instead @wickett #ruggeddevops

  98. “here is a 400 page PDF of our findings to prove your developers don't get it!” - The Pen tester @wickett #ruggeddevops

  99. Even with the emphasis on appsec training, in practice we made it a dark art @wickett #ruggeddevops

  100. Integrated rugged testing should sit inside the pipeline @wickett #ruggeddevops

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Peter Hill Yingtong Bu A desolate Central control mansion wasteland High-walled super hub

Peter Hill Yingtong Bu A desolate Central control mansion wasteland High-walled super hub

Peter Hill Yingtong Bu A desolate Central control mansion wasteland High-walled super hub Built in 18 Century Egypt Thrive till nowadays Efficiently monopolize all facets of mass production Residential area for citizens Production

356 views • 14 slides
Reframing the gambling field: epistemological and methodological shifts and the study of the

Reframing the gambling field: epistemological and methodological shifts and the study of the

Reframing the gambling field: epistemological and methodological shifts and the study of the gambling/gaming convergence Sylvia Kairouz, Ph.D. Department of Sociology and Anthropology Concordia University Addictions 2017 Lisbon, October

322 views • 16 slides
Epistemological Databases Andrew McCallum Department of Computer Science University of

Epistemological Databases Andrew McCallum Department of Computer Science University of

Knowledge Base Construction with Epistemological Databases Andrew McCallum Department of Computer Science University of Massachusetts Amherst Joint work with Sameer Singh , Michael Wick , Limin Yao , Sebastian Riedel, Karl Schultz, Aron

910 views • 75 slides
Investigating the influence of assessment questions on student epistemological resources in

Investigating the influence of assessment questions on student epistemological resources in

Investigating the influence of assessment questions on student epistemological resources in physics KELLI SHAR, ROSEMARY S. RUSS, JAMES T. LAVERTY A Challenge for Physics Assessment When students complete assessments, they often do so in ways

265 views • 12 slides
WetlandLIFE, epistemological equality and a disciplinary theatre: the experiences of art

WetlandLIFE, epistemological equality and a disciplinary theatre: the experiences of art

WetlandLIFE, epistemological equality and a disciplinary theatre: the experiences of art approaches for valuing nature 13 th / 14 th November 2018 Valuing Nature Annual Conference, Cardiff Case studies 12 case studies (3 include in-depth

642 views • 29 slides
Uncertainty management in the IPCC Minh Ha-Duong, CNRS haduong@cired.fr 1. Outline

Uncertainty management in the IPCC Minh Ha-Duong, CNRS haduong@cired.fr 1. Outline

Socit de Philosophie des Sciences Symposium, Nancy, 2011-07-21 Climate science and climate change: Epistemological and methodological issues Uncertainty management in the IPCC Minh Ha-Duong, CNRS haduong@cired.fr 1. Outline

413 views • 37 slides
ART OF CHANGE 21 PRSENTATION 2 ART OF CHANGE 21 ABOUT US Art of Change 21 works in the field

ART OF CHANGE 21 PRSENTATION 2 ART OF CHANGE 21 ABOUT US Art of Change 21 works in the field

ART OF CHANGE 21 PRSENTATION 2 ART OF CHANGE 21 ABOUT US Art of Change 21 works in the field of sustainable development and art and the interlinkages between art, social entrepreneurs and the youth. Art of Change 21 started its activities

302 views • 13 slides
Change Management Change Management Change Management Appreciate the balance within Change

Change Management Change Management Change Management Appreciate the balance within Change

Slide 2 Purpose of this Session Objectives Understanding of Change Management principles within RBS Understand why CM is important / necessary Change Management Change Management Change Management Appreciate the balance within

249 views • 4 slides
Communicating Change The journey Change is when things What is change move from a current to

Communicating Change The journey Change is when things What is change move from a current to

Communicating Change The journey Change is when things What is change move from a current to future state Know your vision, your How do end goal, and get clear on you drive what needs to change to change reach it Sometimes the best

550 views • 23 slides
Changing Times, Emerging Generations: A snapshot of the megatrends affecting higher education.

Changing Times, Emerging Generations: A snapshot of the megatrends affecting higher education.

Changing Times, Emerging Generations: A snapshot of the megatrends affecting higher education. Mark McCrindle THETA Conference Monday 11 May 2015 Change. Change. Change. Change. Change. Change. Change. Change. Chang Change. Change.

2.25k views • 87 slides
sUpPORt c O n S T a N t cHAnGe cHAnGe cHAnGe nealford.com @neal4d to make di ff erent in some

sUpPORt c O n S T a N t cHAnGe cHAnGe cHAnGe nealford.com @neal4d to make di ff erent in some

cHAnGe sUpPORt c O n S T a N t cHAnGe cHAnGe cHAnGe nealford.com @neal4d to make di ff erent in some particular to undergo a modi fi cation of to give a di ff erent position, course, or direction to cHAnGe to replace with another to make a

750 views • 71 slides
2/27/2015 2015 PROFESSIONAL ETHICS & CONDUCT Is Change Inevitable? 1 2/27/2015 2

2/27/2015 2015 PROFESSIONAL ETHICS & CONDUCT Is Change Inevitable? 1 2/27/2015 2

2/27/2015 2015 PROFESSIONAL ETHICS & CONDUCT Is Change Inevitable? 1 2/27/2015 2 2/27/2015 3 2/27/2015 The Handwriting on the Wall Change Happens Anticipate Change Monitor Change Adapt To Change Quickly Change Enjoy Change! Be

580 views • 25 slides
If the rate of change on the outside exceeds the rate of change on the inside the end is

If the rate of change on the outside exceeds the rate of change on the inside the end is

If the rate of change on the outside exceeds the rate of change on the inside the end is near -Jack Welch Change brings exceptional opportunities for those ready to take action -John Burke Motels els Man anuf ufacturi acturing

530 views • 29 slides
Effectively Engaging in Should change Have been thinking about changing Change but

Effectively Engaging in Should change Have been thinking about changing Change but

4/27/2014 Discussion Topic Something about yourself that you: Want to change Need to change Effectively Engaging in Should change Have been thinking about changing Change but havent changed yet Something you have

249 views • 5 slides
Lesson Plan: Signs of Climate Change Session 1 What exactly is climate change? Climate change

Lesson Plan: Signs of Climate Change Session 1 What exactly is climate change? Climate change

Lesson Plan: Signs of Climate Change Session 1 What exactly is climate change? Climate change is Long term change in the Earths overall temperature with massive and permanent consequences

548 views • 39 slides
CLIMATE CHANGE Impacts, Vulnerabilities and EPA WHAT IS CLIMATE CHANGE? noun a long-term change

CLIMATE CHANGE Impacts, Vulnerabilities and EPA WHAT IS CLIMATE CHANGE? noun a long-term change

CLIMATE CHANGE Impacts, Vulnerabilities and EPA WHAT IS CLIMATE CHANGE? noun a long-term change in the earth's climate, especially a change due to an increase in the average atmospheric temperature. WHAT'S THE DIFFERENCE BETWEEN WEATHER AND

918 views • 44 slides
A Strategic Epistemic Logic for Bounded Memory Agents Sophia Knight CNRS, Universit e de

A Strategic Epistemic Logic for Bounded Memory Agents Sophia Knight CNRS, Universit e de

Introduction Background Memory The Logic Final Remarks A Strategic Epistemic Logic for Bounded Memory Agents Sophia Knight CNRS, Universit e de Lorraine, Nancy, France Workshop on Resource Bounded Agents Barcelona 12 August, 2015

1.03k views • 48 slides
On the reliability of Monitored Systems John Rushby Based on joint work with Bev Littlewood (City

On the reliability of Monitored Systems John Rushby Based on joint work with Bev Littlewood (City

On the reliability of Monitored Systems John Rushby Based on joint work with Bev Littlewood (City University UK) Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Reliability of Monitored Systems 1 A Conundrum

559 views • 31 slides
Slides: http://kvf.me/osu Notes: http://kvf.me/osu-notes Still going strong Kai von Fintel

Slides: http://kvf.me/osu Notes: http://kvf.me/osu-notes Still going strong Kai von Fintel

Slides: http://kvf.me/osu Notes: http://kvf.me/osu-notes Still going strong Kai von Fintel (MIT) (An)thony S. Gillies (Rutgers) Mantra Contra Razor Weak : Strong Evidentiality Mantra (1) a. John has left. b. John

576 views • 57 slides
Issues in epistemic change Ivano Ciardelli and Floris Roelofsen European Epistemology Network

Issues in epistemic change Ivano Ciardelli and Floris Roelofsen European Epistemology Network

Issues in epistemic change Ivano Ciardelli and Floris Roelofsen European Epistemology Network Meeting Madrid, July 2, 2014 1 Introduction Goal of the talk Develop a simple formal framework to model and reason about: The beliefs that an

613 views • 35 slides
Judgment Aggregation as Maximization of Social and Epistemic Utility Szymon Klarman Institute

Judgment Aggregation as Maximization of Social and Epistemic Utility Szymon Klarman Institute

Judgment Aggregation as Maximization of Social and Epistemic Utility Szymon Klarman Institute for Logic, Language and Computation University of Amsterdam sklarman@science.uva.nl ComSoC-2008, Liverpool Szymon Klarman 1 / 13 Judgment

379 views • 17 slides
Ontological models as functors Andru Gheorghiu Chris Heunen arXiv:1905.09055 1 / 20

Ontological models as functors Andru Gheorghiu Chris Heunen arXiv:1905.09055 1 / 20

Ontological models as functors Andru Gheorghiu Chris Heunen arXiv:1905.09055 1 / 20 (Finite-dimensional) Quantum theory unit vector in | H, | 2 = 1 state complex Hilbert space uu = u u = 1 transformation

854 views • 50 slides
Dynamic epistemic logic Tristan Charrier Franois Schwarzentruber cole Normale Suprieure

Dynamic epistemic logic Tristan Charrier Franois Schwarzentruber cole Normale Suprieure

Discussion about modeling actions Formal definition of event models Model checking Theorem proving Epistemic planning Dynamic epistemic logic Tristan Charrier Franois Schwarzentruber cole Normale Suprieure Rennes May 13, 2019 1 / 80

1.24k views • 80 slides
PUBLIC UNDERSTANDING OF SCIENCE: KEY INSIGHTS AND ACTIONS FOR DIVISION 15 MEMBERS Gale M.

PUBLIC UNDERSTANDING OF SCIENCE: KEY INSIGHTS AND ACTIONS FOR DIVISION 15 MEMBERS Gale M.

PUBLIC UNDERSTANDING OF SCIENCE: KEY INSIGHTS AND ACTIONS FOR DIVISION 15 MEMBERS Gale M. Sinatra University of Southern California THE VALUE & LIMITATIONS OF SCIENTIFIC KNOWLEDGE Democratic societies depend on citizens to make informed

787 views • 34 slides

More recommend