Wabi-Sabi Your DevSecOps Presented by: Brittany - - PDF document

wabi sabi your devsecops
SMART_READER_LITE
LIVE PREVIEW

Wabi-Sabi Your DevSecOps Presented by: Brittany - - PDF document

Aug 29, 2022 223 likes •494 views

AW6 DevOps Automation Wednesday, November 6th, 2019 10:30 AM Wabi-Sabi Your DevSecOps Presented by: Brittany Greenfield Wabbi

slide-1
SLIDE 1

¡ ¡ AW6 ¡

DevOps ¡Automation ¡ Wednesday, ¡November ¡6th, ¡2019 ¡10:30 ¡AM ¡ ¡ ¡ ¡ ¡

Wabi-­‑Sabi ¡Your ¡DevSecOps ¡ ¡

Presented ¡by: ¡ ¡ ¡

¡ Brittany ¡Greenfield ¡

¡ Wabbi ¡Inc ¡ ¡

Brought ¡to ¡you ¡by: ¡ ¡ ¡ ¡

¡

¡

¡ ¡ ¡

888-­‑-­‑-­‑268-­‑-­‑-­‑8770 ¡·√·√ ¡904-­‑-­‑-­‑278-­‑-­‑-­‑0524 ¡-­‑ ¡info@techwell.com ¡ ¡

https://agiledevopseast.techwell.com/ ¡

¡ ¡ ¡ ¡ ¡

slide-2
SLIDE 2

¡

Brittany ¡Greenfield ¡

¡ An ¡MIT ¡MBA ¡and ¡Duke ¡undergrad ¡with ¡more ¡than ¡a ¡decade ¡of ¡experience ¡as ¡a ¡ strategy ¡leader ¡for ¡enterprise ¡technology ¡companies, ¡Brittany ¡combined ¡her ¡ passions ¡for ¡business ¡process ¡innovation ¡that ¡she ¡gained ¡while ¡at ¡companies ¡such ¡as ¡ NetSuite ¡and ¡Kronos ¡with ¡infrastructure ¡technologies, ¡which ¡she ¡got ¡from ¡Cisco ¡and ¡ Cybereason, ¡to ¡found ¡Wabbi. ¡Understanding ¡as ¡the ¡functional ¡units ¡increasingly ¡ become ¡responsible ¡for ¡the ¡security ¡of ¡their ¡own ¡business, ¡she ¡sees ¡the ¡need ¡to ¡be ¡ able ¡to ¡assimilate ¡and ¡simplify ¡the ¡complexity ¡of ¡security ¡into ¡the ¡daily ¡processes ¡of ¡

  • developers. ¡

¡

slide-3
SLIDE 3

BRITTANY GREENFIELD FOUNDER & CEO @bagreenfield

slide-4
SLIDE 4

@hiwabbi #WabiSabiSecDevOps

QUESTION #1

slide-5
SLIDE 5

@hiwabbi #WabiSabiSecDevOps

QUESTION #2

slide-6
SLIDE 6

@hiwabbi #WabiSabiSecDevOps

QUESTION #3

slide-7
SLIDE 7

@hiwabbi #WabiSabiSecDevOps

As a: Brittany I want to: Drink Tea So I can : : Finish my presentation

Epics, Stories, Etc

Is it a chip? A crack? How much effort does it take to make it usable?

Story Points

Gorilla Glue Hospital Bills Pain & Anxiety New Mug

Tech Debt

slide-8
SLIDE 8

@hiwabbi #WabiSabiSecDevOps

THERE IS NO PERFECT ANSWER.

DevOps lives in a world of gray where technical and business risk are balanced to continually deliver value to the customer.

slide-9
SLIDE 9

@hiwabbi #WabiSabiSecDevOps

Wabi-sabi is an acceptance and appreciation of the impermanent, imperfect, and incomplete nature of everything.

Beth Kempton

slide-10
SLIDE 10

@hiwabbi #WabiSabiSecDevOps

A cross-disciplinary community of practice dedicated to the study of building, evolving and operating rapidly- changing resilient systems at scale.

Jez Humble

slide-11
SLIDE 11

@hiwabbi #WabiSabiSecDevOps @hiwabbi #WabiSabiSecDevOps

slide-12
SLIDE 12

@hiwabbi #WabiSabiSecDevOps

Untimely information means Development teams don’t know when policies have been violated, leaving Application Security in the rear-view mirror “The misalignment between development and cybersecurity teams leads to missed business opportunities, as new capabilities are delayed in reaching the

  • market. In some cases, the pressure to

close the gap has caused increased vulnerability, as development teams bend rules to work around security policies and standards.”

  • McKinsey, July 2019
slide-13
SLIDE 13

@hiwabbi #WabiSabiSecDevOps

slide-14
SLIDE 14

@hiwabbi #WabiSabiSecDevOps

Sales

D e v S e c O p s

Integration of security into development testing

D e v O p s S e c

Integration of security after development

S e c D e v O p s

Integration of security into development processes

slide-15
SLIDE 15

@hiwabbi #WabiSabiSecDevOps

DevOpsSec

Integration of security after development

Source: Gartner

90%

O F C O M PA N I E S B E G I N A P P S E C A F T E R C O D E I S I N P R O D U C T I O N

191

D AY S T O F I X A V U L N E R A B I L I T Y I N P R O D U C T I O N

Sales

What is my current application security risk?

slide-16
SLIDE 16

@hiwabbi #WabiSabiSecDevOps

Integration of security into development testing

DevSecOps

Largely manual testing efforts create bottlenecks that delay deployments, increase costs (both for testing and remediation) and create frustration for development and security teams alike.”

  • Gartner, July 2018

Sales

What are the scan results & what do they mean? What is my current application security risk? How quickly does this vulnerability need to be resolved? Does this meet the security requirements to be released?

slide-17
SLIDE 17

@hiwabbi #WabiSabiSecDevOps

SecDevOps

Integration of security into development processes

Sales

What are the policies that impact this project? What do I need to know to build this feature securely? Have the policies been followed? What are the scan results & what do they mean? What is my current application security risk? How quickly does this vulnerability need to be resolved? Does this meet the security requirements to be released?

100x

C H E A P E R T O F I X I N D E S I G N T H A N P R O D

Sources: CMU, NIST

74%

O F D E V E L O P E R S WA N T T O B E I N V O LV E D

slide-18
SLIDE 18

@hiwabbi #WabiSabiSecDevOps

Security gains easy policy management to know that stakeholders are informed & controls are enforced consistently to minimize risk due to code in production. Development teams are informed of policies in advance so they can understand & plan for the AppSec requirements, and reduce the number of vulnerabilities created and manage remediation efficiently. Ops gains visibility to understand potential & current bottlenecks, automate security governance, and manage risk acceptance workflows.

A development-centric approach that assimilates Application Security processes into Development processes to provide Sec, Dev & Ops teams with just-in-time actionable information.

SecDevOps

slide-19
SLIDE 19

@hiwabbi #WabiSabiSecDevOps

What is the security profile of this project?

  • Availability
  • Confidentiality
  • Business Value
  • Accessibility
  • Deployment

APP SEC POLICIES

How do I figure out what needs to be fixed first?

  • Criticality
  • Stringency
  • Ease to Fix
  • Versioning

SCORING

What is an acceptable amount

  • f risk to allow?
  • Time to Find
  • Time to Fix
  • Threat Landscape
  • Business Impact
  • Version

SECURITY DEBT

slide-20
SLIDE 20

@hiwabbi #WabiSabiSecDevOps

P E O P L E

Enable AppSec and PMs to have a consistent cadence to understand the specific policies pertinent to a project and their impact

P R O C E S S

Share feature specific policies with developers before coding and capture front-line feedback during development

T O O L S

Centralized policy engine with survey tools to assign policies by project & feature definition information as part of workflow

Understand the project to know the correct secure coding practices & controls to apply across the SDLC.

slide-21
SLIDE 21

@hiwabbi #WabiSabiSecDevOps

Translate AppSec scans & tests into project specific results to know what and when to fix.

P E O P L E

Provide PMs and Ops with the information to easily understand and correctly prioritize scan results without AppSec intervention

P R O C E S S

Define quality gates to provide consistent governance and provide paths to release & remediation based on mutual terms

T O O L S

Score adjusting tools to simplify interpretation of results and create actionable workflows including automated governance

slide-22
SLIDE 22

@hiwabbi #WabiSabiSecDevOps

slide-23
SLIDE 23

@hiwabbi #WabiSabiSecDevOps

slide-24
SLIDE 24

@hiwabbi #WabiSabiSecDevOps

Understand the effort and risk associated with vulnerabilities to prioritize remediation

P E O P L E

PMs can integrate vulnerability remediation into existing workflows and reduce upfront cost of non-secure coding practices

P R O C E S S

Deliberate management of vulnerabilities to ensure continuous deployment with holistic understanding of business impact.

T O O L S

Vulnerability management solutions with end-to-end integration for continuous feedback to adapt to changing threats & ops

slide-25
SLIDE 25

@hiwabbi #WabiSabiSecDevOps

Hug your AppSec Owner Identify Integration Points Adopt Automation Tools

general@wabbisoft.com @hiwabbi