State of DevSecOps - DevSecOpsDays 2019
•Als PPTX, PDF herunterladen•
0 gefällt mir•272 views
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie State of DevSecOps - DevSecOpsDays 2019
Ähnlich wie State of DevSecOps - DevSecOpsDays 2019 (20)
Mehr von Stefan Streichsbier
Mehr von Stefan Streichsbier (7)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
State of DevSecOps - DevSecOpsDays 2019
- 1. The State of DevSecOps Stefan Streichsbier CEO - GuardRails
- 3. What do these companies have in common? <10 years
- 4. Tech Startups in Asia – #10YearChallenge 2009 vs 2019
- 5. How is that possible?
- 6. 1. Existing solutions are no longer adequate Software and services provide a terrible user experience Many industries have not been innovated in decades 95% of the 1955 Fortune 500 don’t exist anymore
- 7. 2. Internet enables wide-spread distribution Customers Are EverywhereNo Need To Go To A Physical Location Digital Marketing Scales Better Than Sales Teams
- 8. 3. Cheaper to create & operate Software Startup Ecosystems Empower Entrepreneurs Open Source Software Provides Building Blocks Cloud Computing Provides Low Barrier of Entry
- 9. To summarize Existing solutions are ripe for replacement Creating new technology solutions was never faster, easier, and cheaper Software can be distributed globally
- 10. DevSecOps: How important is it really? • Agile took us from months to days to develop value • DevOps took us from months to minutes to ship value • Applications are mission critical for every business • Security remains one of the speed bumps for value realization
- 11. The real impact of hacks & breaches News is full of high-profile breaches that get widespread attention. But they are not the only target of hackers 43% of all cyber attacks target small businesses. 60% of small businesses that are Hacked go out of business within 6 months. 1/5 data breaches are the result of attackers abusing insecure web applications.
- 13. The Evolution of Security Tools Secure SDLCPenetration Testing DevSecOps Duration 2-4 weeks 1-2 weeks Continuous and Real-time Tools • Port Scanners • Vulnerability Scanners • Exploitation Tools Audience • Security Professionals Tools • Code Security Scanners • Dynamic Security Scanners • Vulnerability Scanners Audience • Security Professionals in Enterprise Security Teams Tools • Code Security Scanners • Interactive Security Scanners • Runtime Application Self Protection Audience • Developers in Product Teams
- 14. Security Development Operations The Evolution of Security Teams Secure SDLCPenetration Testing DevSecOps Security Development Operations Security Development Operations “Department of NO” “Let’s work together” “How can we help you succeed?”
- 15. Modern security teams can only empower dev teams! 100 10 1 Dev Ops Sec: : : : Looks like we have a scale problem
- 17. - John Willis You build it, you secure it. Think Responsibility vs. Accountability
- 19. Understanding benefits of security controls Create Test Monitor Challenges • Changing human behavior • Difficult to enforce • People churn Benefits • Reduce new vulnerabilities Challenges • Vulnerability Noise • Fixing issues • Coverage of issues Benefits • Enforceable • Provide Metrics Challenges • Coverage of issues Benefits • Enforceable • Provide Metrics • Prevent attacks Security
- 20. DevSecOps - Monitor Are your applications currently under attack? Are we automatically defending against this attack? What are attackers going after? • Micro Segmentation • Runtime Application Self Protection (RASP) • Bug Bounties Questions you should be able to answerAvailable Technologies
- 21. DevSecOps - Test Do the latest changes introduce new security issues? Does our code contain hard- coded secrets? Do any of our 3rd party libraries have known security issues? Questions you should be able to answer • Static Application Security Testing (SAST) • Sensitive Information Scanners (SIS) • Software Composition Analysis (SCA/CCA) • Dynamic Security Scanning (DAST) • Interactive Application Security Testing (IAST) Available Technologies
- 22. DevSecOps - Create Do your teams know the most common successful attacks? Who is the dedicated security contact in a team? Do your teams know how to detect and prevent them? Questions you should be able to answer • Security Awareness • Secure Coding Training • Shared Knowledge Base • Security Focused Hackathons • Security Champion Program Available Options
- 23. State of DevSecOps - Conclusion Security TeamTechnologies Product Team • Tools have improved • Choose them wisely • Solve technology problems • Cover the whole portfolio • Start acting on data in prod • Department of YES • Use scarce resources wisely • Empower product teams • Knowledge is power • Turn developers into security champs • Accountable to build it, run it, secure it • Be mindful that change takes time
- 24. DevSecOps Do we really need it now? There are some compelling statistics • It’s 30 times cheaper to fix security defects in development vs production • An average data breach costs an organization 5M USD • DevOps high-performers include security in their delivery process Security is a Competitive Advantage
- 25. Thank you
- 26. Get a curated list of security resources Consisting of: • Awesome security lists • Developer trainings • List of great security tools • Security Page templates • Free digital copy of my book • the slides • … and more Then send an email to: iwant@guardrails.io
Hinweis der Redaktion
- The are all from SEA! They didn’t exist 10 years ago. They are all tech companies. The are all considered unicorns (valued over 1 billion)
- And by the way, how many of you here today are in a fintech or any other kind of tech company startup? fintech slide -> You may join the unicorn club soon.
- It's astonishing how this game of david and goliath has changed the world in the last decade. Now, why is that possible? Software has become mission-critical!
- 1.) The existing solutions (in all industries) typically suck. -> The foundation of this opportunity. Simply put a lot of the existing incumbent solutions (in all industries) are coming from the waterfall era, have a terrible User Experience and follow an enterprise software model. Think about it, even the online banking solutions that exist today are typically much more user-friendly for consumers than they are for business users. -> Waterfall vs Agile vs DevOps "Wait, I have to use this stuff to collaborate? If I can use Facebook Messenger at home, why do I have this crummy messaging tool at work?" So that's certainly been one angle that I think has changed things.
- 2.) Software as a service and the internet in general allow wide-spread and instant distribution. Second is, obviously software as a service and the internet generally, you know, our ability, so we sell into 170 different countries now, so we never could have done that in a traditional enterprise model. We would have needed sales people all over the world, etc. So we can spread out the revenue generation, if you like, much more around the globe, much more quickly.
- 3.) The cost of producing and operating software has gone down significantly. The entry barrier is almost removed. And at the same time, the cost of producing that service or creating that software has gone down rapidly with open source, and cloud computing in terms of AWS, things like that. So we can effectively deliver a better product for cheaper and kind of instantly get it around the world and just let it bubble up. Cloud providers offer up to 100k credits for startups. Every major Saas product that a company needs either offers free plans for startups or heavily reduced prices. Cloud computing
- Litmus test, how long does it take you to get one line of code through your system?
- DevOps is all about breaking down barriers, have developers work with the business, with the ops team and simply out-innovate and out-ship the competition. Software has become mission-critical! Litmus test, how long does it take you to get one line of code through your system?
- While hacking-related data breaches and subsequent ransom demands to large corporations like HBO, Target, and Home Depot understandably garner widespread attention, t he resulting assumption that only large companies face this growing digital threat couldn’t be further from the truth. In fact, a study in 2016 found that 43% of all cyber attacks targeted small businesses. Even more alarming is that a staggering 60% of small businesses hit with a cyber attack or data breach go out of business within 6 months. Software has become mission-critical!
- Everyone!!! Ok, but who is accountable?
- Different Tools come from different eras and are focused on outcomes and different audiences.
- Working as an audit/control function Working as security gates in the lifecycle Empowering DevOps teams to move fast and be safe.
- Alright, so the purpose of security teams Is to support the engineering organization To ensure that the business can achieve Their goals. However, there is a scale problem. Think about how many developers you have in your organization. How many DevSecOps ready security folks? There is a global shortage of 2m cyber security professionals,. It just can’t be solved by throwing security people at the problem You gotta be smart,
- The traditional model is that you take your software to the wall that separates development and operations, and throw it over and then forget about it. Let’s look at how the big organizations are doing it. https://www.slideshare.net/ufried/the-truth-about-you-build-it-you-run-it
- You build it you secure it. What does that mean? It’s not a question of responsibility it’s a question of accountability. Why would any third party come and tell you what to do, they don’t know the context, don’t know the other stuff. Why would they run a tool for you that produces a million findings, and leave you with the results to clean it up? Oh and by the way, you have to get rid of all the medium and high before going live. Believe me, I am coming from a pentesting background, and there is no perfect security posture. So you gotta think about getting the guardrails established, at the very minimum. Get rid of all the low hanging fruits. Avoid counter productive best practices.
- Outside in approach Get data -> attacks, vulnerabilities, etc Don’t focus on 1 application, focus on getting this data for the whole portfolio (prioritize by business risk). Where can you solve technology problems reliably across Quality, Performance, Security
- Think Application Performance monitoring for security Understanding how your app is abused and misused helps with prioritization.
- Think Application Performance monitoring for security Understanding how your app is abused and misused helps with prioritization.
- Focus on the right improvements, e.g measuring defect density, etc. E.G if a technology can reliably identify and prevent a vulnerability in production, without having to involve humans to fix it, then That’s a good start. If you can have technology that alerts you of breaches while containing them, that’s great. Use it. If you have tools that you can embed in your pipeline to get more continuous security feedback into the hands of developers, then use that Be smart about where to use human efforts on and where not to. Security team should help engineering teams to succeed and achieve their mission. Not say no and delay releases like an audit function. Start with general training programs, there is excellent free training out there for engineers and basic security awareness. As you get more data from your tools, then you will be able to prioritize the next focus areas and teams that require that training. Teaching people and changing the culture is hard and takes a long time. It is still important but make sure all the other aspects are Reducing your risk while simultaneously buying time.
- Certain aspects that may not seem that relevant, will become the decisive advantage in the future. You can’t develop software and expect it to be secure after an audit at the end. The user and customer loyalty is ever decreasing, switching between companies nowadays means installing a different app. Price, user experience and more and more data privacy and security will decide who customers will choose.