DevSecOps Through Blunt Force Trauma, I'm the Trauma

1A N C I L L A . i o
DevSecOps Through Blunt
Force Trauma, I’m the Trauma
Transformation: Flintstones to
the Jetsons, Security, Teams,
Werewolves, Silver Bullets and
Unicorn's
With a serving of sarcasm
DAV ID GIA MBR UNO
D e v e l o p e d & P r e s e n t e d b y :
Former CIO / CTO / CISO (Mostly all at same time)
Revlon, Pitney Bowes, Tribune Media, & Shutterstock
919-816-5275
“A n a i d i n a c h i e v i n g s o m e t h i n g d i f f i c u l t ”
dgiambruno@ancilla.io
w w w . a n c i l l a . i o

DISCLAIMER
Everything in this deck is public material – read –BEEN DONE & DOCUMENTED
I will say things to challenge your thinking, make you a little angry, then make you laugh (Sarcasm)
The most important things humans can do is exchange ideas
Impossible means that it violates the laws of physics; otherwise it CAN be done!!
I am not an “employee” so buckle up
Caveats - I was a Drill Sergeant in the Army!
Sometimes I am like “Flossing with a Chainsaw”

NARCISSISM SLIDE: Accolades, Awards Etc…
A w a r d s & R e c o g n i t i o n
▪ 2017 MIT CIO Presentation
▪ 2017 Interop API Driven Infrastructure
▪ 2015 Digital Infrastructure: With US CIO at National Press Club
▪ 2015 RSA Mobile Security Presentation
▪ 2013 1st ICE Winner (Enterprise Cloud Innovation)
▪ 2013 Finalist for CPG CIO of the Year (Big Data & Social Data to Drive
Forecasting)
▪ 2013 Top 30 Social Savvy CIO Award (Social Data)
▪ 2013 Microsoft Convergence: Keynote for collapsing 21 ERP to 1
▪ 2013 NetApp Epic Story for Cloud
▪ 2013 Business Visionary Award
▪ 2012 Global Visionary Leadership Award
▪ 2012 Gartner Symposium & IOM Presentation
▪ 2011 VMWorld Keynote Speaker on Cloud
▪ 2011 MIT Summer Session on Cloud Computing
▪ 2011 Computerworld CIO 100 Winner
▪ 2009 InfoWorld CTO of the year (I should be rich)
▪ 2008 NetApp Green Award
▪ 2006 InfoWorld 100 Award: Manufacturing (Security)
▪ 2006: Security Executive of the Year: Runner up!
A d v i s o r y R o l e s
• Columbia University: Masters of Technology Management Mentor
• Symphony AI
• Everest AI Council
• Sequoia CIO Council
• Accel Partners CIO Council
• Mayfield Innovation Forum
T e a m A w a r d s , R e c o g n i t i o n , a n d T h o u g h t L e a d e r s h i p
• Cloud Computing (Including Data Center Consolidation)
• Cyber Security
• Digital Transformation
• Big Data & Business Intelligence
• Collaboration
• Process Automation
• Global ERP, Project Management, CMS , CRM
C o m p l i a n c e & S e c u r i t y ( C o m m e r c i a l / R e g u l a t o r y )
E x p e r t i s e
• FDIC (Bank and Provider)
• PCI - Credit card
• HIPPA
• SOX
• GLBA
• KMS – Elliptical cryptography systems
• Forensics
• Security staff with industry leading security certifications: CISSP, CISM, CISA,
SANs and Active Top Secret Security Clearances
These accolades are the result of having great teams!

PERSONAL MANAGEMENT PHILOSOPHY
MY JOB:
✓ Enable the business to turn around and face forward.
✓ Make systems work for people, rather than people working for systems.
✓ Command technology to provide competitive advantage for the business.
✓ Provide Management Teams actionable information to make good decisions.
✓ Develop world class delivery organizations where we help make people great and where they want to come to work
everyday.
✓ Get the bad News: Anyone can manage good news.
✓ Know the difference between “I think” and “I know”.
✓ Know what “done” means, not to you but to your “customers”.

Expect my team’s to
1.Make IT better: Deliver faster, better, cheaper and more secure.
2.Get the infrastructure out of the way of the business.
3.Deliver an “iPad” view of the world: Business can just use it. Frictionless.
4.Consistent Improvement: A little bit every day adds up to a lot.
5.Trust but verify: Always be able to prove (show it) what we are doing / delivering.
6.Work as a family.

ABOUT PEOPLE

MOST IMPORTANT LESSON I HAVE LEARNED
P e o p l e a r e , “ M e a n i n g M a k i n g M a c h i n e s ” Dr. Sharon Melnick PhD.
• Whatever they do today is the most important thing in the world to them
• You have to take them on a journey…. Tell a story
✓ Humans have eyes, show them so they can see and ask questions
Te c h n o l o g y i s e a s y, p e o p l e a r e h a r d … .
• Change needs to be done at a pace that allows people to “see” how they will work
• Unless you measure it, it will NOT happen
• Speed is an outcome
To c h a n g e y o u h a v e t o m a ke p e o p l e ” fe e l ” s a fe .

Growth / Value comes down to 2 things, both rely on Technology and Information.
1. Organic
• Taking & Defending Market share
• Innovation
2. Acquisition
• Integration
• Optimization
Speed is today’s competitive advantage

Sometimes you have to be an Evil Overlord with a Hug
Do not tolerate mediocracy
Build greatness…

If you cannot automate it – you don’t need it
Balance building and buying
• Every step forward has to be measured against speed, not effort to move
forward.
Are you building “Tech Debt” snowballs
• Snow balls get bigger over time as they roll forward
Fundamental Architectural / Design / Engineering Principle
P l e a s e l e t ’s n o t b u i l d a n o t h e r H y p e r - V i s o r ‘c a u s e y o u c a n ?

Outcomes – Repeatedly
Delivery to customers, teams, and shareholders

Transformation
Going from the
To the

Transformation: Big Rules
Enable culture of TRY:
1. make people feel safe
2. enable business teams to “see” and think about what can be done and where value can be derived
Use technology to:
1. show technology to start a discussion to show value
2. drive continuous improvement
3. drive competitive advantage
Give back time: ultimate resource
1. find multi-step brute force processes, automate until frictionless
2. key enabler: time used on higher value activities (management discretion)
Disconnect cost, time, and effort to execute:
1. operations
2. projects
Outcome:
1. platform for innovation
2. move resources from operations & support, to revenue and business process activities

PROVEN OUTCOMES:
Transformation, innovation, product, security & $190 million & counting
I w a s u s i n g “A g i l e ” & “ D e v O p s ” p r i n c i p a l s b e fo re a ny o n e ga v e i t a n a m e … .
COMPANY 1:
$70 Million reduction in IT budget in 2 years while
delivering faster, better, cheaper and more secure
▪ Transformation of entire company in 36 months, ~2100%
increase in share price
▪ Collapsed 21 ERP’s into 1 and eliminated over 300 apps
▪ Delivered global view of customer and connected the global
supply chain using Social Media
▪ Got the infrastructure out of the way…. Moved all but 5
servers Cloud and delivered 100% uptime for 3 years
▪ Cyber & Compliance made easy: Zero data loss, defended all
attacks, 90% Self Reliance from Auditors, Zero impact in 2
BCP events. 17 minute mean time to patch…
COMPANY 2:
$120,000 Million reduction in IT budget
in 18 months
▪ Transformed in 18 months (Flintstone's to the Jetson’s). Created
“Frictionless Enterprise”.
▪ Applications: Replaced entire application environment with the
fastest Workday go live on record (Finance & HR)
▪ Data: Built new enterprise data model and enabled Digital
Transformation
▪ Cloud: Collapsed 54 data centers onto SDDC (7 racks) and zero
downtime for 18 months.
▪ Security, Compliance, & BCP: PCI Compliance in 90 days, Removed
1.3 million critical vulnerabilities, deployed 600,000+ patches.
Deployed leading edge Security stack. Fully automated disaster
Recovery & BCP.
▪ Went form 800 FTE to 43….. really

Cloud: Moved 531 Applications
Running 97% of applications at 99.99996 % uptime.
Eliminated & Avoided $70.4M in 2 years.
Metrics
1. Averaged 15,000
automated application
moves a month
2. 14,000 transactions a
second
3. 25 TB data change a
week, and just shy of 1
GB/S to DR.
4. Reduced data center
power by 72%....

Applying Agile & DevSecOps… Disconnection of effort and outcomes
P ro j e c t T h ro u g h p u t u p 4 2 5 % f ro m i n c e p t i o n . L e s s t h a n 1 % p ro j e c t fa i l u re ra t e …
D i d I s ay $ 7 0 M i l l i o n

What do you do when you run at 100% Uptime?
Pimp your data
center….

Transformation 2 Outcome: $2 Billion on 7 Racks, $120 Million savings

2nd Transformation Speed & Scale
72
182
245
300
550
43
43
52
0
100
200
300
400
500
600
2013 2014 2015 2016
Project Completion
Projects FTE
P ro j e c t T h ro u g h p u t u p 2 8 0 % , w i t h 1 / 1 0 t h e p e o p l e . Po w e rs o f s i m p l i f i c a t i o n a n d
a u t o m a t i o n .
D i d I m e n t i o n t h e $ 1 2 0 M i l l i o n ?

Disclaimer on 2nd Transformation
Pulled a Kobayashi Maru - I gave all the legacy away. I had a greenfield to build upon!
Favorite Quote from my Team: How did God create the Universe in 7 days?
No Legacy Infrastructure!
L e s s o n – Way e a s i e r t o s e t u p a n e w i n s t a n c e a n d m o v e t o i t , ra t h e r
t h a n c h a n g e t h e w h e e l s o n t h e c a r w h i l e i t i s m o v i n g .

18 Months – 89 System Go Live – ZERO Misses using Agile & DevOps

Applied to infrastructure….Data Center Consolidation: Team of 4
54 2In 4 months
5 4 D a t a C e n t e rs c o n s o l i d a t e d w i t h f u l l y
a u t o m a t e d D i s a s t e r Re c o v e r y

Transformation 2: Built Hyper Agile Enterprise: Adapt, Consume, Scale, Eject, &
Execute with Predictable Precision and disconnect cost
Enterprise
Private Cloud
Master Data
Big Data
BI / Workflow / KPI
Containers
SAAS Applications
I t i s n o w fe a s i b l e t o b r i n g t o g e t h e r t h e “ C o d e ” a n d “ I n f ra s t r u c t u re ”
w o r l d s t o e n a b l e e n t e r p r i s e s t o t ra n s fo r m h o l i s t i c a l l y

Sad Truth
People spend more time figuring out how NOT to do something challenging, rather than doing it
Design “execution” environment
• Eliminate “time suckers”
• Eliminate distractions
• Focus on outcomes
• Move from process to automation
Address environment of risk avoidance: all about someone to blame
Use technology to deliver
• Capability
• Opportunity
• Cost reductions
A u t o m a t i o n g i v e s y o u t h e “ t i m e ” t o t ra n s fo r m .

Truth….

Get in Front Rather than Being Pulled, then Pushed Out
CIO - Career Is Over
Credit: Simon Wardley

Context…. The Real World
Macro Observations

We are in the longest bull market in history, it will end.
• For the first time ever business will not be able to “turn off” technology spend
• Increased XAAS spend means you cannot stop spending…. This will be awesome
• Unlimited (relatively) tech / product budget will come crashing down
• Accountability will be everything
• Human’s are the fastest way to reduce budget
Public Companies are measured on EBIT, pendulum will swing
• Expenses are bad
• CAPEX is good
Cyber
• Cyber Regulation is coming – the new SOX
• As the world move to Cloud & Code, hackers are attacking Code & Apps….
• Cyber will become more physical
Incoming – Forward looking

OPERATIONAL NIRVANA... For your Board, CEO, CFO, & Shareholders
Increase
Capability
&
Transform (Product)
Increase Flexibility
& Speed
Increase
Security REDUCE COSTS
Data as a
Competitive
Advantage
T h i s i s w h a t b u s i n e s s i s a s k i n g o f t e c h n o l o g y m a n a g e m e n t t e a m s .

WHAT AN “ENTERPRISE” LOOKS LIKE UNDER THE COVERS
Eating an elephant requires
a large glass of water, salt,
pepper, and taking a bite at
a time.
Have a plan of Attack
Progressive refinement
Make the problem smaller

To Make Matters Worse: The ball moved (Digital Transformation)
Data in your company was hard
Now data is Digital Transformation. Generally this means
connecting your data and the consumer data
Entirely new scale…. And you need to make your system's “react”
1 0 0 X t h e D a t a . D o n o t b u i l d M i c ro - M o n o l i t h ’s

Core Philosophy: Progressive Refinement (Simplicity Model)
Create Simplicity Model: what is in the “triangle” for you?
1. Cheap inside and expensive outside.
2. Bottom up to drive projects and time table.
Think in 3 months increments.
3. Change investments accordingly.
4. Develop 5 year roadmap.
Infrastructure Capabilities (+Cloud)
Define what is
inside the triangle
People & Product &
Operating Capabilities
Application Licensing
& Portfolio

Tons of Work
Single Intake
Ticket
System&
Proj Mngt
Optimize
Investment &
Delivery
Progressive Refinement In Action
Shed Complexity: Move to continuous improvement
Iterations to low cost, frictionless, and agile platform to support business strategy
Absorb
Talent
Absorb Care
& Feeding
Standard-
ize
Decouple
Infra-
structure
Auto-mate
& Integrate
Absorb
Talent
Absorb
Care &
Feeding
Standard
-ize
Decouple
Infra-
structure
Auto-
mate &
Integrate
Massive Quantity / Non-Standardized
Infrastructure / Security Challenges
Standardized w/ Legacy
Infrastructure / Security Metrics Automated / Secure / Flexible
Adjust spend to
fund transition
Smart Spend
As Needed to
Reduce Triangle
DevSecOps teams start
• Automation & Uptime
• Frictionless experiences
• Seamless care & feeding
• Turn data into information
• Low risk & high compliance
• Fast & agile delivery / speed to market
• Snap-in M&A
• High complexity & low automation
• Painful user experiences
• Unknown risk & low compliance
• Slow delivery / poor solutions / missed opportunities
• Reinvented M&A every time
Agile
DevSecOps
Simplify application portfolio
Converge Infrastructure & Code Processes
Core
Core
Core
How To:
Traditional teams transform

Big Ideas
Indiscriminate Computing
1. Ability to move anything from private cloud to public clouds, and in between clouds
2. Move based on economic or performance requirements
Entropy: Avoid and stay 1st
1. Ability to continuously adopt new technologies
2. Disconnect cost and effort to adopt those technologies
Fail fast and cheap
1. Raise risk taking threshold to enable experimentation and testing from tech
through product

About Customers: Transforming customer experience
Improve customer experience by:
1. Moving closer to them
2. Scale, contract, and move on demand
Enable developer and product teams by:
1. getting the infrastructure out of the way
2. reducing friction: make things easier
3. disconnect the time it takes to go from
thought to product
Outcomes are the core

Cloud Transformation: 40 Applications, pipelines, operations, and run books with
team of 10.
0 40In 5 months
F u l l y t ra n s p a re n t , ze ro o p e ra t i o n a l i m p a c t .
A P I D r i v e n i n f ra s t r u c t u re

Transforming first step: Classify & Factors
Your application portfolio needs to be broken down and classified
1. Easy
2. Medium
3. Hard
4. Gonna Suck
5. Better to shoot it
6. Never going away
What are the factors you consider?
1. Stateless or Data driven?
2. Public vs. Internal?
3. Operational Overhead – hard to operate
4. Resource intensive
5. On a Mainframe/ AS400…. okay not the Mainframe that bang for your buck?
6. Don’t be CIO’d - cause somebody read it in a Blog.
7. Cloud and Containers are not a Silver Bullet.

Your API’s will define how teams interact with one another
API’s are not just for computers - they define how teams interact with one another
1. behavior
2. responsibilities
3. workflows
Infrastructure: Terraform API defines consistent infrastructure AS WELL AS defining how teams
1. request infrastructure resources
Terraform is the backbone...
1. Enforce consistency
2. Know everything in production

Conway’s Law
Organizations which design systems… are constrained to produce designs which are copies of the
communication structures of these organizations

New Contracts are Created
Developers get a single interface to deploy code and don’t think about infrastructure
Developers are focused on getting applications running on Kubernetes & Docker (Example)
• Infrastructure is abstracted
• Infrastructure does not have to think about individual team
Infrastructure provides abstracted compute & resources
• Infrastructure has one job - keep Kubernetes running
• Make K8 run faster and everything runs faster...
Contract is: if you do this we will run it
• Infrastructure to developers: “Tell the CI system to build a Docker container and I will run it”
• CI system to developers: “Tell me what to build/test and I will do it”
• Infrastructure to CI system: “Tell me when a build is ready and I will run it”

My key to DevOps – API Driven Infrastructure – It is ALL CODE
An API-driven infrastructure
1. Appears as a service to development teams and provides 99.9999% uptime.
2. Integrated into this service would be auto-scaling / de-provisioning and a single view of the world to support the product, user
experience, and data required to grow the company.
Single process to
1. Deploy services
2. Applications
Infrastructure to any cloud (public / private) or data center.
1. Singular development guidelines for services and data, eliminating overlap and streamlining both support and development throughout
the entire company environment.
2. Provides elasticity of applications, based on load or predicted load, for the best customer experience.
3. enables geographic distribution of applications & services without loss of performance or added management complexity.
4. Move “closer” to end users.

No Silver Bullet
● Design for failure
○ Services need to gracefully recover and continue to operate
● Plan for change
○ If there is a better pattern or tool you need to be able to adopt it
● Automate processes
○ Adopt DevOps culture and best practice processes and automate them
○ Deliver the automated processes as a service to the organization
● Build capabilities (not tools)
○ Building your own tools makes sense only if you plan to monetize them
○ If forced to build tools, open source or monetize
● Adopt best-practices
○ Cloud and devops are still new but good patterns and practices already exist
○ Get help when you need it

Automated Infrastructure Provisioning
• Template everything
• Orchestrate both the infrastructure and your containers
• Think of handling secret configurations like passwords
• Backup / Restore is still a thing in the cloud
• If you do a good job you’ve enabled Disaster Recovery too

CI / CD / CS
● Everything is code
○ and needs to go through a CI / CD process, even the infrastructure code and configuration itself
● This is a rinse and repeat problem
○ Identify a step that takes too long to do but
is valuable
○ Get the best tool to automate it and create
a script (or service) that does that
○ Integrate the script / service into one or
more pipeline jobs that run in your orchestration
○ Go back to the top
I added the CS – CONTINUOUSLY SCAN YOUR CODE

What?
• Migrate applications from existing “brick and mortar” data centers to Next Gen virtualized environments
• Outcome: Applications / Services can be moved between DataCenters and Public cloud.
• This will happen in several steps
• Do NOT recommend “lift and shift”
• Connect first
• Build new pipelines
• Run the numbers
• Run the tech
• Increase capability while reducing risk both operationally and security.

Next Gen Workflow & Pipeline
•Standard Tooling (One flavor)
• Jenkins with pipeline plugin
• Interacts with standard APIs across the board
• Teams have control of their entire workflow
• Common helpers and templates provided by us
•Atomic builds and build promotion
• Run-time determinism
• What gets tested is what gets deployed
• "It worked on my machine..."
• Applicable to Docker/Public Cloud and NextGen VMWare
(eventually)
• Same image gets deployed to Dev, QA, and Prod with different
configuration for each environment
• No coupling of behavior to environment, everything is
tunable can run anywhere
• No more long lived integration branches
• Dev and QA branches go away
• Features are added to an ephemeral release branch, built,
tested, and deployed
• Broken builds are thrown away and never deployed
• No more blocking...
• other teams with broken environments
• devs on the same team with broken Dev and QA
branches
• Legacy Support (eventually)
• Ability to apply these best practices to existing applications
with minimal effort

Deploy Anywhere…. Legacy through New
• Application owners only need to create objects for a new system home
• Kubernetes manifest
• Vmware vmx file
• Packer manifest
• Docker files
• Regardless of source/destination application types, implementation will be the same

Moving Parts: Coordinated Effort makes it fast(er)
Public Cloud
1. Architecture
2. Public API to Public Cloud
3. XXXX to Public Cloud
4. Big Data to Public Cloud
5. Factory: Process for refactoring and moving
services quickly to Cloud
6. Operations: CI CD
Internal Cloud
1. Architecture (NextGen)
2. Disaster Recovery Automatic
3. Move to New Data Center Seamlessly
4. Shut down old data centers
5. Easy DR Testing
Running this concurrently reduces operations risk, minimizes investment, and
gets a better business outcome. Business outcome defined as ability to
achieve revenue goals while reducing risk.

Next Gen Data Center in a box – built for transformation & automation
1. Data Center in A Box
2. Simple Framework
3. Highly Automated
4. Highly Redundant
5. Automated DR
6. Run Whatever
7. Run Wherever
8. Multiple ways to get to Public
Cloud and Back
• Puppet
• Turbonomic
• Photon

Bring Teams Together…. Legacy teams need love
1. Load Photon ontop of VSphere
2. Ability to bring K8 back into Datacenter
3. Ability to Move anything to Public Cloud as
well as other providers
4. Test Containers in DC
5. Merge skill sets
6. Enable teams

My Views on Cyber Security in a
World Moving to Code
DevSecOps
CI / CD/CS
These are my opinions
based on 25 years of learning

MY GOLDEN RULE OF CYBER SECURITY
Y o u a r e l e s s s e c u r e t o m o r r o w t h a n y o u w e r e t o d a y
▪ Bugs: What was secure yesterday may not be tomorrow
▪ Vulnerabilities: More tomorrow in your infrastructure, application’s, code and web
▪ Patches: More tomorrow
▪ Virus / APT / Malware: More tomorrow and different attack vectors
▪ People: Attack vectors change (technical and social engineering) so fast that
training can never keep up . Humans make mistakes.
▪ Hackers & Attacks: Change everyday
Cyber Security is NOT a project, it as an ongoing effort
Automation wins in Cyber
Hackers have Digitally transformed

Bad things happen – make it not matter. Cyber is SOLVABLE
▪ Recover: 1-1 Bottle Rocket Vs. Factory
▪ Protect: 27-0 vs. Cryptolocker / Ransomware
▪ Respond: 1- 0 vs. hacking organization
▪ Respond: 1-0 vs. state sponsored attack
▪ Protect: 13,000,000,000 – 1 vs. patching
▪ Protect: 17 Minutes “Mean time to Patch”
Globally (really)
All had Zero business impact. All have white papers.
Laptop hosed. Divisional president was happy. Got a new laptop with a bow and lunch on me

Basic Cyber Rules for a world moving to Code
Deploy a real WAF
Continuously scan your code
CI / CD / CS (Continuously Scan)
Scan your applications
Back your stuff up… it is NOT as ephemeral as you think.
Connect what the hackers are attacking to the code your are writing.

IF YOU THINK CULTURAL APPROPRIATION IS A CRIME!
• Code appropriation is 100X worse and a real challenge
• Coders are copying code not generating their own or bothering to understand what they are taking and ,
when asked to fix problems “issues” arise
• Hackers are embedding attacks in repo’s
• Impact: Coders do not UNDERSTAND how to begin addressing a vulnerability
Get a WAF and continuously scan your code….
Reconcile attacks to code.
Please! Please! Please!

#1 Question: I have been asked Business Leaders & Boards
Why am I a target for a Cyber Threat ?
HACKERS:
• Use your infrastructure to host “stuff”. They don’t pay for data centers!
• Hold your files for ransom and get paid for it
• Use your hardware to mine crypto currency
• Use your infrastructure to attack others
• Sell your information
• Watching you respond to chaos is “fun”
B E C A U S E Y O U
H A V E A
C O M P U T E R !

UTTERANCES THAT DESERVED A SLAP: QUOTES
CISO: “If I don’t know about it, I am not responsible for it! “
CISO: “We outsourced security so we are not responsible and we have someone to blame.”
CIO: “Why do I need inventory?”
CIO: “We don’t scan or patch because its too hard.”
CIO: “We just use usernames, no passwords.”
CTO: “Checking our code for vulnerabilities isn’t necessary.”
Coder: “I don’t know how to fix that code, I just copied it.”
VP SOC: “If we get to many alerts we just turn off all of alerting. “
Th e art of ac cou ntab ility avoid an c e

IRONY OF CYBER SECURITY
You can be “compliant” but not secure!!!!
I LOV E e x p l a i n i n g t h i s t o a u d i t o r s … .

Physics of Cyber Security mandate
that tools & automation have to be at your core
50,000 pages of
vulnerabilities EVERY month…
go ahead start writing tickets
and track each one…. The
Math doesn’t work.

LACK OF “REASONABLE MAN RULES”
People will argue with me all day long on this question:
An organization has 1 million critical vulnerabilities, is that okay?
Under NO circumstance is that okay!
When a fish tank causes a breach the Business Risk doesn’t work.

$500 bet that I could find issues under 30 minutes, it took 5
Say it in your best Jeff Foxworthy voice….
▪ If you leave the default password
enabled on your firewall, you might get
Hacked.
▪ If you leave remote access and default
password on your ERP, you might get
Hacked
▪ If you leave default access to your
Database, you might get Hacked

If your on the internet are you measuring your web vulnerabilities?
If you don’t the slope will never change.
JuneJanuary MayFebuary March
109,567
April August September October November December
12,043
January
100,683
140,815
131,219
39,447
82,082 83,659
61,019
36,034 33,910
19,757 18,941
Get a WAF NOW!

This deserves a Darwin Award but sadly is VERY common.
I generally see THOUSANDS.
2,891
2,019
1,877
1,505
1,343 1,278
1,074
623
329 288
172
74 1
0
500
1,000
1,500
2,000
2,500
3,000
3,500 Default/ Blank
I have no words for how consistent this problem is….

Know what is attacking your code!
Removed 444,337 internal vulnerabilities
634,980 remaining
Deployed 95,311 patches
516,903 remaining
Attacks by country:
Type of
Attacks:
SQL Injection is the attempt to gain
access to an application or obtain
privileged information by executing
arbitrary database queries.
Cross-Site Scripting is the
attempt to hijack a user's
account or web-browsing
session through malicious
JavaScript code.
A backdoor signal is a request
which attempts to determine if
a common backdoor file is
present on the system.
Directory Traversal is the
attempt to navigate privileged
folders throughout a system in
hopes of obtaining sensitive
information.
Site Attacks & Auto Defended Last week
▪ Site A: 56,600
▪ Site B: 6,400
▪ Site C: 741
▪ Site D: 229,500
▪ Site E: 1,500

PLEASE GOD, HELP!
▪ Google search on file types and strings found in particular secret data - like certificates and keys
▪ Private keys abound on unsecured servers on the internet
▪ In 60 minutes had private keys that were stored in the clear on internet accessible servers (no shit)
▪ Big Service Provider in Europe
▪ Large Telco in Pacific Rim
▪ State's EBT service
▪ Big OpenSource software vendor
▪ Notification: All except one took days for anyone to respond
▪ Had to explain the meaning of having Private keys exposed
▪ When I told them to rotate the keys… OMG!
If you think “Blockchain” is a panacea for security,
you’d be WRONG. If companies cannot secure their
Private keys, Blockchain will not matter!

THE ONE SLIDE: BUBBLE WRAP EVERYTHING
Bubble wrap:
▪ your enterprise
▪ your applications
▪ Your code
▪ your services
▪ Your data
▪ your team members
Don’t let them hurt themselves….
▪ Don’t allow people to
hurt themselves
▪ Don’t allow
applications to hurt
themselves
▪ Don’t allow code to
hurt you
▪ Attacks are changing
to fast – anything you
build “static” is waste
of money
The Solution

CLOSE THE WINDOWS AND DOORS
▪ Blank / Default Passwords
▪ Infrastructure Vulnerabilities (Will fingerprint for you – what
something is)
▪ Operating System
▪ Services (Web Server, DNS, +)
▪ Application Vulnerabilities
▪ Database Vulnerabilities
▪ Web Site (Web Application) Vulnerabilities
▪ Code Vulnerabilities
Remove Easy Access by Removing:

WEB / API / CODE
Deploy a real WAF
Continuously scan your code
Scan your applications
Connect what the hackers are attacking to the code your are writing.

FUN FACTS
▪ NSA – “Zero” Zero Day attacks in 2 years. All attacks have been from KNOWN vulnerabilities
▪ According to billionaire investor Warren Buffett, cyber attacks are the BIGGEST threat to mankind — even a
greater threat than nuclear weapons.
▪ 7 out of 10 organizations say their security risk increased significantly in 2017 (Ponemon Institute)
▪ Worldwide cybersecurity spending will reach $96 billion in 2018. (Gartner)
▪ 1/3 of organizations believe they have adequate resources to manage security effectively. (Ponemon Institute)
▪ Crypto miners have impacted 55% of organizations globally (CheckPoint)
70% - 80% of all cyber issues can be eliminated with hygiene.

Built Nucleaus to continuously scan code…. At scale inexpensively

The EndDAV I D GI AMB RUNO
Thank you for joining me!
Do you have any questions ?
Former CIO / CTO / CISO (Mostly all at same time)
Revlon, Pitney Bowes, Tribune Media, & Shutterstock
919-816-5275
“A n a i d i n a c h i e v i n g s o m e t h i n g d i f f i c u l t ”
dgiambruno@ancilla.io
w w w . a n c i l l a . i o

DevSecOps Through Blunt Force Trauma, I'm the Trauma

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to DevSecOps Through Blunt Force Trauma, I'm the Trauma

Similar to DevSecOps Through Blunt Force Trauma, I'm the Trauma (20)

More from DevOpsDays DFW

More from DevOpsDays DFW (20)

Recently uploaded

Recently uploaded (20)

DevSecOps Through Blunt Force Trauma, I'm the Trauma