Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Building a DevOps
Security Culture
at Mozilla
1
Julien Vehent - Mozilla
$ whoami
2
twitter: jvehent
web: https://j.vehent.org
email: julien@vehent.org
3
4
5
It didn’t use to be this way
6
7
comfort zone
Oh Hey Let’s do the devsecops thing!
8
Behold The Security Engineer
git commit -a . && git push origin master
9
or what happens when security guys write ops tools
Sops
10
Don’t just build security tools.
Build operational tools
that do things securely.
11
12
Embedded
Centralized
Distributed
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A
Sec A
Ops B
Dev B
Sec B
CISO
C-Suite
Eng. grp A Eng. grp...
Embedding
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A Sec A
Ops B
Dev B
Sec B
CISO
The hybrid embedded model distributes eng...
Embedding works both ways: Security Champions
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A Sec A
Ops B
Dev B
Sec B
CISO
Champ...
Assumptions lead to vulnerability
16
17
Trust the data
Trust
the
tests
18
github.com
/mozilla
/frost
Setting the expectations
19
20
21
test:
override:
# build and run an application container
- docker build -t myrepo/myapp
- docker run myrepo/myapp &
# r...
22
github.com
/mozilla-services
/websec-check
Security
Checklists
23
Observatory
.Mozilla
.Org
Self
Service
Assessments
24
Clear Expectations
↓
Checklist
↓
Self Assessment
↓
Profit
Not having to say “no”
25
26
Ships are safe in harbor.
But that’s not what
ships are for.
27
Rapid
Risk
Assessments
mzl.la/2mkWN37
To go beyond the security team
Get the security team closer to your organization
28
Thank You!
securing-devops.com
Sie haben dieses Dokument abgeschlossen.
Lade die Datei herunter und lese sie offline.
Nächste SlideShare
What to Upload to SlideShare
Weiter
Nächste SlideShare
What to Upload to SlideShare
Weiter
Herunterladen, um offline zu lesen und im Vollbildmodus anzuzeigen.

Teilen

Tools & techniques, building a dev secops culture at mozilla sba live academy - may 2020

Herunterladen, um offline zu lesen


"Tools & Techniques from building a DevSecOps culture at Mozilla"

For the past decade, security teams at Mozilla have sharpened their tools and improved their techniques to mature the security culture of the organization, and dramatically reduce vulnerabilities and risks. In this talk, Julien shows how Mozilla approaches DevSecOps and shares lessons learned from that journey.

Speaker:
Julien Vehent, Firefox Operations Security
Talk language: English

About the Speaker:
*********************

Julien Vehent is a French computer security engineer who leads the Firefox Operations Security team at Mozilla. He specializes in web applications security, cloud infrastructure, cryptography and risk management. He is the author of “Security DevOps”, published at Manning in 2018.

Ähnliche Bücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Ähnliche Hörbücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen
  • Gehören Sie zu den Ersten, denen das gefällt!

Tools & techniques, building a dev secops culture at mozilla sba live academy - may 2020

  1. 1. Building a DevOps Security Culture at Mozilla 1 Julien Vehent - Mozilla
  2. 2. $ whoami 2 twitter: jvehent web: https://j.vehent.org email: julien@vehent.org
  3. 3. 3
  4. 4. 4
  5. 5. 5
  6. 6. It didn’t use to be this way 6
  7. 7. 7 comfort zone Oh Hey Let’s do the devsecops thing!
  8. 8. 8 Behold The Security Engineer
  9. 9. git commit -a . && git push origin master 9
  10. 10. or what happens when security guys write ops tools Sops 10
  11. 11. Don’t just build security tools. Build operational tools that do things securely. 11
  12. 12. 12 Embedded
  13. 13. Centralized Distributed C-Suite Eng. grp A Eng. grp B Ops A Dev A Sec A Ops B Dev B Sec B CISO C-Suite Eng. grp A Eng. grp B Ops A Dev A Sec A Ops B Dev B Sec B CISO Centralized security orgs are often too far from devs & ops to be impactful Distributed security orgs have better impact but worse strategy & coordination
  14. 14. Embedding C-Suite Eng. grp A Eng. grp B Ops A Dev A Sec A Ops B Dev B Sec B CISO The hybrid embedded model distributes engineers from a central security org into dev & ops teams. Managers of those teams have direct influence into the work of the embedded engineers, but security strategy & coordination is centralized.
  15. 15. Embedding works both ways: Security Champions C-Suite Eng. grp A Eng. grp B Ops A Dev A Sec A Ops B Dev B Sec B CISO Champions are engineers from dev & ops teams who are treated like security team members and have direct access to all the resources of the security org.
  16. 16. Assumptions lead to vulnerability 16
  17. 17. 17 Trust the data
  18. 18. Trust the tests 18 github.com /mozilla /frost
  19. 19. Setting the expectations 19
  20. 20. 20
  21. 21. 21 test: override: # build and run an application container - docker build -t myrepo/myapp - docker run myrepo/myapp & # retrieve the ZAP container - docker pull owasp/zap2docker-weekly # run the baseline scan against the application - docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://172.17.0.2:8080/ -m 3 -i WARN: Web Browser XSS Protection Not Enabled [10016] x 3 https://www.example.com https://www.example.com/robots.txt https://www.example.com/sitemap.xml WARN: X-Content-Type-Options Header Missing [10021] x 1 https://www.example.com FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 4 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 22
  22. 22. 22 github.com /mozilla-services /websec-check Security Checklists
  23. 23. 23 Observatory .Mozilla .Org Self Service Assessments
  24. 24. 24 Clear Expectations ↓ Checklist ↓ Self Assessment ↓ Profit
  25. 25. Not having to say “no” 25
  26. 26. 26 Ships are safe in harbor. But that’s not what ships are for.
  27. 27. 27 Rapid Risk Assessments mzl.la/2mkWN37
  28. 28. To go beyond the security team Get the security team closer to your organization 28
  29. 29. Thank You! securing-devops.com

"Tools & Techniques from building a DevSecOps culture at Mozilla" For the past decade, security teams at Mozilla have sharpened their tools and improved their techniques to mature the security culture of the organization, and dramatically reduce vulnerabilities and risks. In this talk, Julien shows how Mozilla approaches DevSecOps and shares lessons learned from that journey. Speaker: Julien Vehent, Firefox Operations Security Talk language: English About the Speaker: ********************* Julien Vehent is a French computer security engineer who leads the Firefox Operations Security team at Mozilla. He specializes in web applications security, cloud infrastructure, cryptography and risk management. He is the author of “Security DevOps”, published at Manning in 2018.

Aufrufe

Aufrufe insgesamt

155

Auf Slideshare

0

Aus Einbettungen

0

Anzahl der Einbettungen

0

Befehle

Downloads

0

Geteilt

0

Kommentare

0

Likes

0

×