DevSecOps is a new way to deliver security as part of the Software Supply Chain. It supports a built-in process and faster security feedback loop for DevOps teams.
How to Troubleshoot Apps for the Modern Connected Worker
Â
DevSecCon Keynote
1. LONDON 2015Join the conversation #devseccon
Securing Innovation @ Speed &
Scale via DevSecOps
DEVSECCON LONDON 2015
@devsecops
2. Who am I?
⢠25+ yrs Technology & Security
Experience
⢠Background in Security R&D
⢠Working with the Cloud before it was
called the âCloudâ
⢠Manage teams using DevOps, Agile &
Scrum
⢠Incident Response & Crisis
Management
-- FOUNDER --
3. The Race for Competitive AdvantageâŚ
Indicators that demonstrate change:
⢠Tailoring business to the needs of customers
to achieve large-scale business returns is
driving Cloud & DevOps adoption
⢠Small businesses and entrepreneurs are
enabled to compete in complex business
models with boutique appeal against
Enterprises
⢠High performing teams are being developed
and incubated in Enterprises to mimic the
DevOps teams found in Start-ups.
4. Startups on the Rise in 2015âŚ
From 1996 to 2015:
⢠Increase in Startups in
2015, shows rebound
⢠Entrepreneurs over 55
has nearly doubled
⢠Significant Rise in
Immigrant
Entrepreneurs
⢠New Entrepreneurs are
on the rise again
⢠More men than women
are becoming first time
Entrepreneurs
kauffman.org
5. DevOps GrowthâŚ
Google Trends
⢠DevOps.com was bought in
2004
⢠Google searches for âDevOpsâ
started to rise in 2010
⢠Major influences:
⢠Saving your Infrastructure
from DevOps / Chicago Tribune
⢠DevOps: A Culture Shift, Not a
Technology / Information Week
⢠DevOps: A Sharderâs Tale from
Etsy
⢠DevOps.com articles
⢠RuggedSoftware.org was
bought in 2010
https://www.google.com/trends/
6. Cloud Security BoomâŚ
⢠Cloud Platform security
features are on the rise the
last few years
⢠Security in the Cloud is
becoming the norm
⢠Default configurations are
still not quite there but will
become the focus with
growing thought leadership
⢠Cloud Providerâs must solve
for providing security
features that scale
⢠Security teams need to learn
to use these features quickly2007 2008 2009 2010 2011 2012 2013 2014 2015
48 61
82
159
280
514
?
AWS re:Invent 2015
7. Big Data?
⢠Reflecting on this
2013 article
⢠Devices & IoT drive
bigger data
⢠Instrumentation <-
Security needs this
⢠Asset management
& monitoring
⢠Service Support
http://www.enterprisecioforum.com/big-data-case-study-utilities/
8. DevOps increases speed & scaleâŚ
This collaborative effort can help DevOps-led
projects make IT operational metrics 100 times
better, and in so doing offers âan evolutionary fork
in the roadâ which could lead to the âend of
security as we know it,â added Joshua Corman
â founder of Rugged DevOps and I am the
Cavalry.
http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security
9. So what hinders âsecureâ innovation @
speed & scale?
1. Friction for frictionâs sake
2. Manual processes & meeting culture
3. Point in time assessments
4. Decisions being made outside of value creation
5. Contextual misunderstandings
6. Late constraints and requirements
7. Big commitments, big teams, and big failures
8. Fear of failure, lack of learning
9. Lack of inspiration
10. Management and political interference (approvals, exceptions)
10. And then thereâs⌠Security &
Compliance!
⢠The discipline is very complex
⢠Majority of the Security
Industry is Vendor dependent
⢠Requires Meetings,
Appointments, and Point in
Time evaluations with low
context
⢠Requirements are dependent
on what is developed
⢠The art of âNoâ has
become its own science
11. Can Security evolve?
OPS
SEC
DEV
⢠Security as Code
⢠Self-Service Testing
⢠Red Team/Blue Team
⢠Inline Enforcement
⢠Analytics & Insights
⢠Detect & Contain
⢠Incident Response
⢠Investigations
⢠Forensics
AppSec
12. Whatâs the DevSecOps Mission?
âŚcreating targeted customer value
through secure iterative innovation
at speed & scale âŚ
Security is
Everyoneâs
Job!
13. What should we value to evolve Security
for DevOps?
Leaning in over Always Saying âNoâ
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls &
Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
In essence, donât waste peopleâs time with
Fear -> Uncertainty -> Doubt
devsecops.org
14. Imagine adding Security into the DevOps
pipelineâŚ
Security Self-Service
skills Biz UX Dev Data App Sec Sec Eng Science
Comp
Ops
Sec Ops Ops Training
Software & Infrastructure Platforms
Software Components & Resources
YOUR APP STACK GOES HERE
Operational Tools & Monitoring
collaboration, partnership, value creation, self-service
[DevOps, Agile, Scrum, Cloud]
15. The Art of DevSecOps (Security View)
DevSecOps
Security
Engineering
Experiment,
Automate, Test
Security
Operations
Hunt, Detect,
Contain
Compliance
Operations
Respond,
Manage, Train
Security
Science
Learn, Measure,
Forecast
16. Can we make it simple? Yes!
⢠Smaller Teams
⢠Smaller Services
⢠Smaller Failures
⢠Rest APIs drive culture
⢠Customer focus
⢠Deep problem understanding throughout org
⢠Deliberate dedication to solving and simplifying tech challenges
⢠Products and Services have security built-in along the supply chain
⢠Security removes barriers and roadblocks as self-service for DevOps
⢠Managers map, magnify and multiply to create culture
blast radius
17. How can we get started?
Small Project Migration Big Project
Approach is tailored to small
experiments and pipeline testing.
Pros:
⢠Requires DevOps Approach
⢠Fast failures
⢠Team learns to collaborate
⢠Higher Productivity, Less waste
Cons:
⢠Skill shortages
⢠Team needs vision to avoid
micro-focus churn
Approach allows organization to
map and adjust for what they
already know.
Pros:
⢠Allows companies to keep
operating while teams figure
out whatâs needed
Cons:
⢠Overload
⢠Can be slower to accomplish
completion
⢠Failures can become complex
Approach is âall-inâ and used to
transform an organization as a
whole.
Pros:
⢠Firm commitment alleviates
political back and forth
⢠Focus & All-in Speed
Cons:
⢠Bigger Failures
⢠Difficult for everyone to learn
from mistakes and
experiments
18. Small Project -> The Provocation
How can we transform a control into a self-aware, self-reporting, self-healing component that can
be consumed at speed & scale?
Our challenge is to begin the process of creating self-aware and self-reporting components. This
process can be achieved using configuration management tools, open source and log management
systems. Letâs work with the IA Controls from NIST 800-53 today and use the implementation of
MFA as an example. Specifically, IA-2 calls for multi-factor authentication which is available in
some Software Defined Environments as a feature. Letâs look at how we can enable MFA within
our Stack and the different use cases that are present and require security baseline components.
Questions to answer:
1. How can baseline components be shared and extended?
2. Once the component is ready to be used, implemented, then what?
3. What about the feedback loop?
4. What is the best way to create an automated report that is continuously built and maintained?
5. How can we report across a full-stack?
6. What tools can assist?
FW ?
Web ?
Compliance at Velocity (https://medium.com/compliance-at-velocity)
19. Migrations -> One foot in⌠One foot
out...
Web
App
Web
DB
App
DB
Traditional IT & Security DevOps + DevSecOps
FW/IDS FW/IDS
ELB
App
ELB
DBAAS
App
DBAAS
20. Big Project -> The Hail Mary
Web
App
Web
DB
App
DB
Traditional IT & Security DevOps? + DevSecOps?
FW/IDS FW/IDS
Web
App
Web
DB
App
DB
FW/IDS FW/IDS
What is this?
21. Why is approach so important?
API KEY EXPOSURE -> 8 HRS
DEFAULT CONFIGS -> 24 HRS
SECURITY GROUPS -> 24 HRS
ESCALATION OF PRIVS -> 5 D
KNOWN VULN -> 8 HRS
22. So letâs recap before we move on to
examplesâŚ
DevSecOps needs:
⢠Active Collaboration
⢠High Engagement
⢠Experimentation
⢠Open Contribution
⢠Fail Fast Culture
⢠Ability to adapt and learn
⢠DevOps Understanding
⢠Focusing on Simplicity
Not this oneâŚ
This one!!
23. Perimeter Testing
THEN
PCI DSS1.1.1 â
Approve/Test/Detect firewall
changes
NOW
Scan API, Ingest
Config/Cloudtrail, trigger firewall
audits and revert unapproved
changes to heal to spec
Labor: 40 hours/Annually
Tools: Excel, Text Pad, Open Source or Commercial
Config Management
Labor: 40 hours/First Year, 8 hours per yr maintain
Tools: APIs, Logs, Open Source, Commercial
Measure: Certify annually
Impact: High
Measure: Mean time to Detection, Mean time to Resolve
Impact: Depends on Resource
24. Configuration Management/Baselines
THEN
PCI DSS2.2 - Develop & Assure
configuration standards for all
system components.
NOW
Track known good CF stacks &
AMIs, alert or neutralize non-
compliant/non-approved
deploys
Labor: 40 hours/Annually/Per Major Component
Tools: Excel, Text Pad, Open Source or Commercial
Config Management
Labor: 40 hours/First Year, 1 hour per yr maintain/Per
Component
Tools: APIs, Logs, Open Source, Commercial
Measure: Certify annually
Impact: High
Measure: Mean time to Detection, Mean time to Resolve
Impact: High
25. Encrypting Sensitive Data
THEN
HIPAA 164.312(a)(2)(iv):
Implement a method to
encrypt and decrypt electronic
protected health information.
NOW
Enforce encryption of all assets
by platform or data
classification tags. Continuous
enforcement and automated
detection.
Labor: 1 FTE minimum per 3 DevOps Teams
Tools: Commercial, Open Source
Labor: 8 hours
Tools: APIs, Logs, Open Source, Commercial
Measure: Certify annually
Impact: High
Measure: Mean time to Detection, Mean time to Resolve
Impact: High
26. Access Management
THEN
NIST800-53 AC2(12) â
Monitors and report atypical
usage of information system
accounts.
NOW
Cloudtrail/Config user
attribution of use/abuse, ability
to reduce team size and allow
for smaller containers
Labor: 1 FTE minimum
Tools: Commercial, Open Source
Labor: 40 hours Dev, 8 hours Maintain
Tools: APIs, Logs, Open Source, Commercial
Measure: Certify quarterly, annually
Impact: High
Measure: Mean time to Detection, Mean time to Resolve
Impact: High
27. Multi-Factor Authentication
THEN
NIST800-53 IA-2 â The
information system uniquely
identifies and authenticates
organizational users
NOW
MFA built into APIs and Cloud
Platforms can be exposed for
authorization decisions
Labor: 1 FTE minimum
Tools: Commercial, Open Source
Labor: 1 hour per week
Tools: APIs, Logs, Open Source, Commercial
Measure: Certify annually
Impact: High
Measure: Mean time to Resolve
Impact: High
Global
Call to
Action
2015
28. Get Involved and Join the Community
⢠devsecops.org
⢠@devsecops on Twitter
⢠DevSecOps on LinkedIn
⢠DevSecOps on Github
⢠RuggedSoftware.org
⢠Compliance at Velocity
⢠Join Us !!!
⢠Spread the word!!!