DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left

1. Join the conversation #devseccon
 Security is Shifting Left
Shannon Lietz
@devsecops

2. Take Responsibility.
Give Credit.
@seniorstoryteller
<me />
1984 1989 1996 2001 2011
DEVELOPER
OPERATIONS
“DEVSECOPS”
“RUGGED”
SECURITY
PRESENT
-- FOUNDER --
SAFER
SOFTWARE
SOONER

3. https://www.flickr.com/photos/mjhagen/2973212926

4. What is
happening
in the
world?

5. Software is eating the world!!!
http://www.wsj.com/articles/SB10001424053111903480904576512250915629460
-Mark Andreessen, 2011

6. DevOps is eating the world!!!
• Imagine solving the world’s
problems faster by collaborating
and taking responsibility.
• In connection with Cloud
Computing, DevOps is the
cultural enabler needed to
scale creativity and innovation.
• With the goal of solving
customer problems faster, no
wonder DevOps is taking over. ~1500% increase
In 2 years

7. Cloud is eating the world!!!
• Public Cloud adoption is
accelerating at a rapid pace…
• Software defined
environments allow scale to
happen and more decisions
to be made daily…
• More people can experiment,
learn and fail at a rapid pace
to solve for customer
demand….
• Creativity is the next
frontier…
http://www.geekwire.com/2016/study-aws-45-share-public-cloud-infrastructure-market-microsoft-google-ibm-combined/

8. Security is blocking the world!!! <- Say What???
@petecheslock

9. Where is
Security
headed?

10. How do we change to avoid extinction?
Traditional
Security
Security is
Everyone’s
Responsibility
DEVSECOPS

11. No really, here’s what is happening…
evolution
value
compliance
genesis
customer
custom-
built
product
(+rental)
commodity
(+utility)
devsecops
visible
invisible compute
cloud
compliance as code
informational website
domain names
devops
continuous deployment
continuous integration
transparent
security
rugged software
fewer better
suppliers
security as code
agile
mobile
customer-driven
innovation
traditional
SDLC
traditional
security
web app
search engine
red team
penetration
testing
commodity bound
growth
emerging
Catching up takes
commitment

12. What is DevSecOps?
IS
• A Mindset and Holistic Approach
• A Collection of Processes & Tools
• A Means of Building Security and Compliance
into Software
• A Community Driven Effort
• A Strategy Driven by Learning and
Experiments
IS NOT
• A One-Size-Fits-All Approach
• A Single Tool or Method
• Just a means of adding Security into Continuous
Delivery
• Invented by Vendors
• A Strategy Driven by Perfection and Compliance
DevSecOps is the practice of developing safer software sooner by involving all
needed parties in the creative process and practicing continuous improvement
from high fidelity actionable feedback with context.
Shares concepts with Rugged Software, Rugged DevOps, SecDevOps, DevOpsSec, DevOps

13. How does DevSecOps operate?
DevSecOps
Security
Engineering
Experiment,
Automate, Test
Security
Operations
Hunt, Detect,
Contain
Compliance
Operations
Respond,
Manage, Train
Security
Science
Learn, Measure,
Forecast

14. How hard could it be?
Source
Code
CI Server Artifacts MonitoringDeployTest & Scan
DevOps Code - Creating Value & Availability
DevSecOps Code - Creating Trust & Confidence

15. What type of skills are required?
Dev Sec Ops Dev Sec Ops
15
Dev Sec Ops
Developer Sys Admin Security Engineer
competency
needed skill; functional

16. Is everyone bought in?
• Management has some firm
requirements due to
financial commitments and
reporting
• DevOps and Innovation
can easily live in 3 out of 4
boxes but hardly like Control
• Security practitioners tend
to write policies and distrust
everyone not them; rightfully
so, 1% insider threat is a lot!
CONTROLCOLLABORATION
CULTIVATION COMPETENCE
people company
reality
possibility

17. Is there a playbook?
• Determine defect and feature flows for
Security to funnel to distributed teams
• Inventory work processes, guidelines,
policies, experiments, data and tools
• Identify groups, roles and skills required
to support processes
• Identify friction and measure speed of
MTTR
• Identify types of decisions
• Identify metrics for measuring
experiments and adapting processes
• Implement Code & Infrastructure Guidelines
• Implement Rules Engineering Processes
• Implement Security Defect Reporting
• Implement Consulting and Requests Process
• Implement Infrastructure Templates
• Implement Red Team & SOC Processes
• Implement Manual Staging Processes
• Implement a Decisions Process
• Implement an Escalation Process with clear
stakeholders
• All systems should be run with API
inspection available via a Security Fabric.
(Systems without inspection require manual
intervention.)
• Implement Security Portal for feedback
consolidation across security processes
• Implement Case Management for Requests,
Defects, and Incidents
• Implement Testing framework
• Implement Correlation engine
• Implement foundational security controls
• Integrate with core organizational systems
Operating Model Processes Tooling
n number of experiments to refine processes and automate where possible
• Identified opportunities to develop capacity
without increasing risk to too high a level
• Inventory provides information for Decisions
board to help with risk decisions
outcomes
• Decisions board with clear escalation path
by type of decision
• Ability to Communicate and Train on initial
processes
• Consistent Ins/Outs of Dynamic Work with
standard templates
• SDE helps with reducing manual efforts
• Ability to build up capacity for Stage Two
Expected Issues: Communication changes, adaptation of skills, decisions processes, expectations, audits and risk guidelines mismatch

18. Can you give me an example of the difference?
API KEY EXPOSURE -> 8 HRS
DEFAULT CONFIGS -> 24 HRS
SECURITY GROUPS -> 24 HRS
ESCALATION OF PRIVS -> 5 D
KNOWN VULN -> 8 HRS

19. What’s the best way to organize around it?

20. Is there a way to simplify this to shift left?
Everyone knows Maslow…
If you can remember 5 things,
remember these ->
“Apps & data are as safe as where
you put it, what’s in it, how you
inspect it, who talks to it, and how
its protected…”

21. Experiments and heroes are welcome!
• Experiments and sharing have
the ability to help everyone in
the community
• There are many heroes
popping up in DevSecOps
• It’s our time to change what
none of us liked before.
• There may never be a better
time in the next 20+ years to
achieve safer software
sooner…
21
A. Member superman vs. egg @ Pickit

22. Isn’t it time to upgrade our ”cats” too?
22
P. Svangren @ Pickithttps://www.flickr.com/photos/mjhagen/2973212926

23. With everyone participating, we can change the world!
23
Stock Unlimited 1515599 @ Pickit

24. Join the conversation #devseccon
Join us…
24
• Get involved.
• Write an article.
• Give and take feedback.
• Contribute to Open Source.
• Give feedback.
• Volunteer.