DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
From Innotech Austin 2019 and Cloud Austin Nov 2019
2. JamesWickett
Sr. Sec Eng & Dev Advocate @ Verica
Author, LinkedIn Learning
Organizer, DevOps Days Austin, Serverless Days ATX
DevSecOps Days Austin
Author, DevSecOps Handbook (In progress)
@wickett
5. verica.io
An enterprise platform for Continuous Verification,
using Chaos Engineering principles, to take a
proactive and measured approach to preventing
availability and security incidents.
@wickett
27. “The rumble ofthetwo
trains, faintand far offat
firstbut growing nearer
and more distinctwith
each fleeting second,was
likethe gathering force ofa
cyclone”
@wickett
36. Aftermath:
» 4 people died
» Crush fired
» Widespread injuries during incident
» More injuries after incident
» Town shut down
» Lawyers brought in for settlements
@wickett
71. “While engineeringteams
are busy deploying
leading-edgetechnologies,
securityteamsare still
focused on fighting
yesterday’s battles.”
SANS 2018 DevSecOps Survey
@wickett
97. “The goalshould beto
come upwithasetof
automatedtests that
probeand check
security
configurations and
runtime system
behavior for
securityfeatures
thatwillexecute
everytimethe system
is builtand every
time itis deployed.”
101. Maker Driven means
» See security as part of engineering
» View quality as a way to bring security in
» Use code, not vendors to solve problems
@wickett
118. Securityinthe Pipeline
» Software composition analysis
» Lang linters, git-hound, ...
» Scanners, gauntlt
» Monitoring and telemetry
@wickett
119. “[Deploys] can be
treatedas
standard or
routine changes
thathave been
pre-approved by
management,and
thatdon’trequire
a heavyweight
change review
meeting.”
130. RootCause (inacomplex system)
isaMyth
» Lacks full picture
» Complex systems are not linear
» Result of blame culture
» Forgets organizational decisions
» Puts the focus on the event over situation
@wickett
131. “Drifting into failure is
a gradual, incremental
decline into disaster
driven by
environmental
pressure, unruly
technologyand social
proccessesthat
normalize growing
risk. No organization is
exempt from drifting
into failure”
@wickett
132. Boeing 737Max
» Maneuvering Characteristics Augmentation System
(MCAS)
» MCAS commands the trim without notifying the
pilots
» This is software
@wickett
142. Where SecurityFits
» Add safety margin
» Telemetry and instrumentation
» Blameless retros
» ...more to explore in this area
@wickett
143. Resources
» Drift into Failure by Dekker
» Understanding Human Error Video Series youtu.be/
Fw3SwEXc3PU
» @jpaulreed coverage of Boeing medium.com/
@jpaulreed
» Richard Cook paper bit.ly/2ydDQS2
@wickett
168. “[Chaos Engineering is]
empiricalratherthan formal.
We don’tuse modelsto
understandwhatthe system
should do.We run experiments
to learnwhat itdoes.”
Michael Nygard, Release It 2nd Ed.
@wickett
169. “The security discipline of
[chaos] experimentation is
done in orderto build
confidence inthe system’s
abilityto defend against
malicious conditions.”
Aaron Rinehart
@wickett
170. Chaos Engineering
» Experiments that span eng and security
» Manual opt-out
» Valuable Learning
» Controlled experiment blast radius
@wickett