Through A Security Lens with Mark Nunnikhoven | @marknca @marknca - - PowerPoint PPT Presentation

@marknca

Through A Security Lens

with Mark Nunnikhoven | @marknca

Gene Kim’s

^

@marknca

2013 2016 2018 2019

@marknca

2013 2016 2018 2019

Development and Operations should work together Here are tactics and playbooks to help Here’s data to help support the cultural transformation Development needs better tooling & support

@marknca

Roadblocks

Lack of understanding of what needs to be in place to deliver desired outcomes Getting data to where it can be used most effectively Opposition to cultural change

@marknca

The Five Ideals

Locality and simplicity Focus, flow, and joy Improvement of daily work Psychological safety Customer focus

@marknca

Maxine

@marknca

Maxine

Gets hit with an outage Is Dealt an outrage Starts a maddening new journey Her experiences frame the cultural changes in the org

@marknca

(DevOps) (Security)

William Maxine

@marknca

Locality and Simplicity

1

@marknca

(DevOps)

Maxine 1

“I need to deploy” Access Code Licenses Resources Customers Stakeholders Stakeholders Stakeholders Stakeholders Stakeholders

NOT local and NOT simple

@marknca

(DevOps)

Maxine 1

“I need to deploy” Access Code Licenses Resources

Local and simple

Stakeholders “Please accomplish this goal” Customers

@marknca

“I have to approve/verify/audit” (Security)

William 1 Helping development

Access Code

@marknca

“I have to approve/verify/audit” (Security)

William 1 Helping development

Access Code

DON’T

API/Self-service

DO

Educate

@marknca

(Security)

William 1 Helping yourself

Centralize logging access/analysis Centralize audit access Setup guardrails for other teams

@marknca

Focus, Flow, and Joy

2

@marknca

(DevOps)

Maxine 2

Use tools that make solving problems easier Focus on solving the business problem Leverage platforms for immediacy and fast feedback

@marknca

(Security)

William 2 Helping development

DevOps Flow Provide self-service for security Immutable platform

@marknca

(Security)

William 2 Helping yourself

Automate absolutely everything …even the ones that are “special” …even the ones that are “impossible”

@marknca

Improvement of Daily Work

3

@marknca

Security is really bad at this.

@marknca

(DevOps)

Maxine 3

Idea Experiment Feedback Innovation Flywheel Work Work “Stop all work” Andon Cord Fix

@marknca

(Security)

William 3 Helping development

API/Self-service Educate

@marknca

(Security)

William 3 Helping yourself

Work Work “Stop all work” Andon Cord Fix

Don’t accumulate technical debt Don’t accumulate security debt Automate in place

@marknca

Psychological Safety

4

@marknca

(DevOps)

Maxine 4

Foster a culture where…

• It’s ok to make a mistake
• There’s no fear of reprisal
• It’s normal to discuss problems
• penly

@marknca

(Security)

William 4 Helping development

Don’t assign blame Support a culture of teaching & learning Trust & enable…and yes, verify

@marknca

(Security)

William 4 Helping yourself

Foster a culture where…

• It’s ok to make a mistake
• There’s no fear of reprisal
• It’s normal to discuss problems
• penly

@marknca

Customer Focus

5

@marknca

(DevOps)

Maxine 5

Focus on the core of the business, not context “Does this matter to our customer?” as a guiding light Remove work that doesn’t matter

@marknca

(Security)

William 5 Helping development & yourself

Focus on the core of the business, not context “Does this matter to our customer?” as a guiding light Remove work that doesn’t matter

@marknca

Keys To Success

@marknca

The Five Ideals

Locality and simplicity Focus, flow, and joy Improvement of daily work Psychological safety Customer focus

Apply equally to security & development

@marknca

5 Your Security Practice Focus

Educate development about security concerns Provide self-service/API driven security tools Improve your daily work through relentless automation

@marknca

Thank You

Mark Nunnikhoven

Vice President, Cloud Research Trend Micro @marknca | https://markn.ca