Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
OWASP AppSec California 2018
3. @WICKETT
‣ HEAD OF RESEARCH AT SIGNAL SCIENCES
‣ ORGANIZER OF DEVOPS DAYS AUSTIN
‣ LYNDA.COM AUTHOR ON DEVOPS
‣ BLOG AT THEAGILEADMIN.COM
@WICKETT
4. @WICKETT
‣ DEVOPS IS CHANGING AND THERE IS A BIG RISK
TO LOSE OUR WAY.
‣ SECURITY IS IN CRISIS
‣ SECURITY AT FORWARD-LEANING SHOPS HAVE
FOUND THE NEW WAY.
‣ LET’S JUXTAPOSE THE OLD WAY AND THE NEW
WAY OF SECURITY IN DEVOPS.
SUMMARY
5. @WICKETT
‣ CAN SECURITY AS AN INDUSTRY RISE TO THE
DEMANDS OF DEVOPS?
‣ IS THE DEVOPS CULTURE ABLE TO HANDLE
SECURITY AND ALL OF OUR BAGGAGE?
‣ WILL SECURITY DESTROY THE DEVOPS
CULTURE?
QUESTIONS ON MY MIND
7. @WICKETT
‣ WEB AND ECOMM FOR $1B COMPANY
‣ BRUTAL ONCALL ROTATIONS
‣ +24HR DEPLOYMENTS
‣ WATERFALL, WATERFALL, WATERFALL
‣ FRIENDS ARE BORN FROM ADVERSITY
FIRST BIGCO JOB
8. @WICKETT
‣ IN 2007 WENT STARTUP AND AWS CLOUD
‣ LEARNED A BIT ABOUT FAILURE AND
HAPPINESS
‣ REJOINED OLD TEAM IN 2010 FOR NEW CLOUD
VENTURE BACK IN BIGCO
CLOUDING FOR PROFIT
9. @WICKETT
‣ DEVOPS AND INFRA AS CODE
‣ NOT CD, BUT DEPLOYS DAILY
‣ AT BIGCO DELIVERED 4 SAAS PRODUCTS IN 2
YEARS WITH DEVOPS AND CLOUD
ENTER DEVOPS
10. @WICKETT
‣ FOUND RUGGED SOFTWARE
‣ MET GENE KIM IN 2012 IN A BAR IN AUSTIN
‣ CREATED GAUNTLT
‣ LATER, JOINED SIGNAL SCIENCES
DEVOPS AND SECURITY
18. @WICKETT
‣ DEVOPS ON A BUS AT RSA (SECURITY BEING
SECURITY)
‣ EXPO FLOOR AT DOCKER CON AND THE
DEVOPS TOOLCHAIN (OPERATIONS BEING
OPERATIONS)
TWO EVENTS
21. @WICKETT
‣ CAN SECURITY AS AN INDUSTRY RISE TO THE
DEMANDS OF DEVOPS?
‣ IS THE DEVOPS CULTURE ABLE TO HANDLE
SECURITY AND ALL OF OUR BAGGAGE?
‣ WILL SECURITY DESTROY THE DEVOPS
CULTURE?
QUESTIONS ON MY MIND
24. @WICKETT
‣ TEACH THREE DEVOPS CLASSES IN THE DEVOPS
FOUNDATIONS SERIES AT LYNDA / LINKEDIN
LEARNING
‣ WORK AT A POPULAR VENDOR OF DEVSECOPS
SOLUTIONS
‣ WRITE DEVOPS AND SECURITY ARTICLES AS
PART OF MY ROLE AT SIGNAL SCIENCES
32. @WICKETT
Companies are spending a great deal on
security, but we read of massive computer-
related attacks. Clearly something is wrong.
The root of the problem is twofold:
we’re protecting the wrong things,
and we’re hurting productivity in the process.
THINKING SECURITY, STEVEN M. BELLOVIN 2015
34. @WICKETT
[Security by risk assessment]
introduces a dangerous fallacy: that
structured inadequacy is almost as
good as adequacy and that
underfunded security efforts plus risk
management are about as good as
properly funded security work
42. @WICKETT
“every aspect of managing WAFs is an ongoing
process. This is the antithesis of set it and forget it
technology. That is the real point of this research.
To maximize value from your WAF you need to go
in with everyone’s eyes open to the effort required
to get and keep the WAF running productively.”
- WHITEPAPER FROM AN UNDISCLOSED WAF VENDOR
45. @WICKETT
THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS
HAS INCREASED FROM ~8.5 MONTHS TO OVER 10
MONTHS IN THE LAST 5 YEARS
Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
THE GROWTH OF [SECURITY] FUNCTIONS WHICH IS TOO
OFTEN POORLY COORDINATED… [RESULTING IN] A
PROLIFERATION OF NEW TASKS IN THE AREAS OF
COMPLIANCE, PRIVACY AND DATA PROTECTION.
46. @WICKETT
Many security professionals
have a hard time adapting their
existing practices to a world
where requirements can change
every few weeks, or where they
are never written down at all.
52. @WICKETT
High performers spend 50 percent less
time remediating security issues than
low performers.
By better integrating information security
objectives into daily work, teams achieve
higher levels of IT performance and build
more secure systems.
2016 State of DevOps Report
53. @WICKETT
High performing orgs achieve
quality by incorporating
security (and security teams)
into the delivery process
2016 State of DevOps Report
56. @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance adds Value
Enforce Stability Create Chaos
Build a Wall Zero Trust Networks
Slow Validation Fast and Non-blocking
Certainty Testing Adversity Testing
Test when Done Shift Left
Process Driven The Paved Road
57. @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance adds Value
Enforce Stability Create Chaos
Build a Wall Zero Trust Networks
Slow Validation Fast and Non-blocking
Certainty Testing Adversity Testing
Test when Done Shift Left
Process Driven The Paved Road
58. @WICKETT
A security team who embraces
openness about what it does and
why, spreads understanding.
- Rich Smith
66. @WICKETT
‣ SURFACE LEVEL
‣ WHAT WENT WRONG? HOW DID IT BREAK?
HOW DO WE FIX IT?
‣ DEEPER LEVEL
‣ WHAT ARE THINGS THAT WENT INTO MAKING
IT NOT AS BAD AS IT COULD HAVE BEEN?
OPERATIONAL TRUTH:
ALL INCIDENTS CAN BE WORSE
Source: John Allspaw, DOES 2017
67. @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance adds Value
Enforce Stability Create Chaos
Build a Wall Zero Trust Networks
Slow Validation Fast and Non-blocking
Certainty Testing Adversity Testing
Test when Done Shift Left
Process Driven The Paved Road
68. @WICKETT
‣ POLICIES AND PROCEDURES IN PLACE
‣ EFFECTIVE EXECUTION OF THOSE POLICIES TO
ALLOW YOU TO KEEP FUNCTIONING
‣ MOST OF PCI AND OTHER FRAMEWORKS
PROVIDE REASONABLY GOOD PRACTICES *IF*
YOU REMOVE ALL THE WATERFALL BITS
UNDERSTAND AUDITORS
69. @WICKETT
[Deploys] can be treated as
standard or routine changes
that have been pre-approved
by management, and that
don’t require a heavyweight
change review meeting.
72. @WICKETT
In environments where one individual
performs multiple roles (for example,
administration and security operations), duties
may be assigned such that no single
individual has end-to-end control of a process
without an independent checkpoint.
(aka Auditable Delivery Pipeline)
73. @WICKETT
Developers with Access to
Production, Oh My!!!
https://www.schellmanco.com/blog/2012/12/auditing-devops-
developers-with-access-to-production/
74. @WICKETT
Check out DevOps Audit
Defense Toolkit
https://cdn2.hubspot.net/hubfs/228391/Corporate/
DevOps_Audit_Defense_Toolkit_v1.0.pdf
75. @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance adds Value
Enforce Stability Create Chaos
Build a Wall Zero Trust Networks
Slow Validation Fast and Non-blocking
Certainty Testing Adversity Testing
Test when Done Shift Left
Process Driven The Paved Road
76. @WICKETT
‣ ADD IN CHAOS TO YOUR SYSTEM AND
APPLICATION
‣ CHAOS MONKEY
‣ ANTI-FRAGILE
‣ RELEASE IT! BOOK
CHAOS ENGINEERING
78. @WICKETT
‣ ADDS MISCONFIG TO THE STACK AND CHECKS
TO SEE IF IT GETS DETECTED
‣ NEW OPEN SOURCE TOOL!
‣ RUNS AS A LAMBDA
CHAOS SLINGR
79. @WICKETT
‣ VALIDATE YOUR SYSTEM CAN HANDLE CHAOS
THROUGH THE USE OF CHAOS EXPERIMENTS
‣ MANUAL OPT-OUT OF CHAOS
‣ ENGINEERING CULTURE THAT SECURITY CAN
ADOPT
‣ MICHAEL NYGARD’S RELEASE IT (2ND EDITION)
CHAOS EXPERIMENTS
80. @WICKETT
‣ I AM BEING PEN TESTED ANYWAY, WHY NOT
FIND OUT WHAT THEY ARE FINDING?
‣ 24/7 PEN TESTING
‣ BUILDS DEVELOPER CONFIDENCE
‣ FINDS MIX OF LOW HANGING FRUIT AND
SOMETIMES MUCH MORE!
BUG BOUNTIES
81. @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance adds Value
Enforce Stability Create Chaos
Build a Wall Zero Trust Networks
Slow Validation Fast and Non-blocking
Certainty Testing Adversity Testing
Test when Done Shift Left
Process Driven The Paved Road
84. @WICKETT
‣ NO PERIMETER SECURITY
‣ ASSUME COMPROMISE
‣ INSTRUMENT ALL LAYERS
‣ EXTENDS FROM LAPTOPS TO WEB
APPS TO CUSTOMER ACCOUNTS
ZERO TRUST NETWORKS
85. @WICKETT
Join Wendy Nather
Modern Security Series
Feb 1, Thurs, 12p PST
https://info.signalsciences.com/mfa-multi-factor-authentication-modern-security-series
86. @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance adds Value
Enforce Stability Create Chaos
Build a Wall Zero Trust Networks
Slow Validation Fast and Non-blocking
Certainty Testing Adversity Testing
Test when Done Shift Left
Process Driven The Paved Road
87. @WICKETT
‣ DON’T SLOW DELIVERY
‣ CONTINUOUS TESTING AND VALIDATION
‣ TESTING ON THE SIDE OF THE PIPELINE
‣ PENETRATION TESTING OUTSIDE OF DELIVERY
FAST AND NON-BLOCKING
98. @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance adds Value
Enforce Stability Create Chaos
Build a Wall Zero Trust Networks
Slow Validation Fast and Non-blocking
Certainty Testing Adversity Testing
Test when Done Shift Left
Process Driven The Paved Road
100. @WICKETT
The goal should be to come up with a
set of automated tests that probe and
check security configurations and
runtime system behavior for security
features that will execute every time
the system is built and every time it is
deployed.
104. @WICKETT
Open source, MIT License
Gauntlt comes with pre-canned steps that
hook security testing tools
Gauntlt does not install tools
Gauntlt wants to be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/
stderr
110. @WICKETT
$ gem install gauntlt
# download example attacks from github
# customize the example attacks
# now you can run gauntlt
$ gauntlt
111. @WICKETT
@slow @final
Feature: Look for cross site scripting (xss) using arachni
against a URL
Scenario: Using arachni, look for cross site scripting and verify
no issues are found
Given "arachni" is installed
And the following profile:
| name | value |
| url | http://localhost:8008 |
When I launch an "arachni" attack with:
"""
arachni —check=xss* <url>
"""
Then the output should contain "0 issues were detected."
Given
When
Then
What?
112. @WICKETT
“We have saved millions of
dollars using Gauntlt for the
largest healthcare industry
project.”
- Aaron Rinehart, UnitedHealthCare
114. @WICKETT
‣ 8 LABS FOR GAUNTLT
‣ HOW TO USE GAUNTLT FOR NETWORK CHECKS
‣ GAUNTLT FOR XSS, SQLI, OTHER APSES
‣ HANDLING REPORTING
‣ USING ENV VARS
‣ CI SYSTEM SETUP
WORKSHOP INCLUDES:
122. @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance adds Value
Enforce Stability Create Chaos
Build a Wall Zero Trust Networks
Slow Validation Fast and Non-blocking
Certainty Testing Adversity Testing
Test when Done Shift Left
Process Driven The Paved Road
127. @WICKETT
OVER 30% OF OFFICIAL IMAGES IN
DOCKER HUB CONTAIN HIGH PRIORITY
SECURITY VULNERABILITIES
https://banyanops.com/blog/analyzing-docker-hub/
128. @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance adds Value
Enforce Stability Create Chaos
Build a Wall Zero Trust Networks
Slow Validation Fast and Non-blocking
Certainty Testing Adversity Testing
Test when Done Shift Left
Process Driven The Paved Road
129. @WICKETT
‣ MAKE IT EASY FOR PEOPLE TO DO THE RIGHT
THING
‣ JASON CHAN, NETFLIX
‣ GOLD IMAGES
‣ BLESSED BUILDS AND DEPENDENCIES
THE PAVED ROAD