DevSecOps: Security at the Speed of DevOp
Download as PPTX, PDF0 likes1,300 views
This document discusses adopting a DevSecOps culture and practices through a 3-part framework. The framework involves: 1) Winning developers' trust by emphasizing building security in from the start rather than adding it on later, 2) Making security practices easy for developers to understand and implement through a self-assessment tool, and 3) Providing transparency to management on rollout progress through visualization of an organization's DevSecOps maturity. The overall aim is to achieve collaboration between development, operations, and security teams through a culture of shared responsibility for security.
![LinkedIn.com/in/LarryMaccherone
Only 21% of [companies] believe
that their organization's present
culture and practices support
collaboration across development,
operations and security.
~Freeform Dynamics
(IT industry analyst)](https://image.slidesharecdn.com/maccherone-securityatspeedofdevops-springone-sept2018-181001233913/85/DevSecOps-Security-at-the-Speed-of-DevOp-2-320.jpg)
![LinkedIn.com/in/LarryMaccherone
Dev[Sec]Ops is…
empowered engineering teams
taking ownership
of how their product
performs in production
[including security]](https://image.slidesharecdn.com/maccherone-securityatspeedofdevops-springone-sept2018-181001233913/85/DevSecOps-Security-at-the-Speed-of-DevOp-4-320.jpg)
![Dev[Sec]Ops different decisions](https://image.slidesharecdn.com/maccherone-securityatspeedofdevops-springone-sept2018-181001233913/85/DevSecOps-Security-at-the-Speed-of-DevOp-5-320.jpg)
![LinkedIn.com/in/LarryMaccherone
Dev[Sec]Ops Results
• Dramatically faster time to market
happier customers more revenue
• 5x lower rate of failures caused by changes1
• 96x faster recovery from downtime failures1
It’s scary to QA and Security, but “moving fast and breaking
things” leads to dramatically lower rates of customer
experienced defects and vulnerabilities
1Puppet’s 2017 State of DevOps Report](https://image.slidesharecdn.com/maccherone-securityatspeedofdevops-springone-sept2018-181001233913/85/DevSecOps-Security-at-the-Speed-of-DevOp-6-320.jpg)
![A 3-part framework
for adopting new practices and
Dev[Sec]Ops culture change](https://image.slidesharecdn.com/maccherone-securityatspeedofdevops-springone-sept2018-181001233913/85/DevSecOps-Security-at-the-Speed-of-DevOp-15-320.jpg)
![LinkedIn.com/in/LarryMaccherone
Visualizing an org’s
Dev[Sec]Ops practices](https://image.slidesharecdn.com/maccherone-securityatspeedofdevops-springone-sept2018-181001233913/85/DevSecOps-Security-at-the-Speed-of-DevOp-25-320.jpg)
DevSecOps: Security at the Speed of DevOp
- 1. LinkedIn.com/in/LarryMaccherone Security at the Speed of Software Development A lean/agile transformation approach to achieving a DevSecOps culture Larry Maccherone LinkedIn.com/in/LarryMaccherone
- 2. LinkedIn.com/in/LarryMaccherone Only 21% of [companies] believe that their organization's present culture and practices support collaboration across development, operations and security. ~Freeform Dynamics (IT industry analyst)
- 4. LinkedIn.com/in/LarryMaccherone Dev[Sec]Ops is… empowered engineering teams taking ownership of how their product performs in production [including security]
- 5. Dev[Sec]Ops different decisions
- 6. LinkedIn.com/in/LarryMaccherone Dev[Sec]Ops Results • Dramatically faster time to market happier customers more revenue • 5x lower rate of failures caused by changes1 • 96x faster recovery from downtime failures1 It’s scary to QA and Security, but “moving fast and breaking things” leads to dramatically lower rates of customer experienced defects and vulnerabilities 1Puppet’s 2017 State of DevOps Report
- 7. What is Software Security?
- 8. LinkedIn.com/in/LarryMaccherone When you say “security” to a developer, he/she thinks… Authentication & authorization Encryption
- 9. LinkedIn.com/in/LarryMaccherone The bad guys… Don’t attack the bank vault door (breaking auth/encryption) They try to bust through the walls (vulnerabilities in the non-security parts of your code)
- 11. Software security puts focus on the bank vault walls
- 12. DevSecOps puts focus on the people, practices, and tools used to build the bank vault walls
- 13. Security practices on DevOps continuum DevSecOps • Static/IAST analysis • Abuse case tests • Code review • Interrupt-the-pipeline code analysis • Threat modeling backlog items • Analyze/Predict backlog items • Design complies with policy? • Test security features • Common abuse cases • Pen testing (Vuls found Test scripts) • Compliance validation (PCI, etc.) • Fuzzing • If we do X will it mitigate Y? • Capacity forecasting • Learning Update playbooks and Training • Configuration validation • Feature toggles/Traffic shaping configuration • Secrets management • Log information for after-incident analysis • Intrusion detection • App attack detection • Restore/maintain service for non-attack usage • RASP auto respond • Roll-back or toggle off • Block attacker • Shut down services • Analysis Learning • Defect/Incident 3-step • New attack surface? Plan to update threat model
- 14. That’s a lot of stuff! How do we get engineering teams to adopt?
- 15. A 3-part framework for adopting new practices and Dev[Sec]Ops culture change
- 16. 1 Win the hearts and minds of developers
- 17. LinkedIn.com/in/LarryMaccherone Lack of TRUST between dev teams and security teams
- 18. Build security in more than bolt it on Rely on empowered engineering teams more than security specialists Implement features securely more than security features Rely on continuous learning more than end-of-phase gates Build on culture change more than policy enforcement DevSecOpsManifestoComcastSDL GuidingPrinciples
- 19. We, the Security Team… Recognize that Engineering Teams… • Want to do the right thing • Are closer to the business context and will make smart trade-off decisions between security and other risks • Want information and assistance so they can improve our security posture Pledge to… • Lower the cost/effort side of any investment in developer security tools or practices • Assist 2x as much with preventative initiatives as we beg for your assistance reacting to security incidents Understand that… • We are no longer gate keepers but rather tool-smiths and advisors
- 20. Credibility + Reliability + Empathy Trust = ———————————————— Apparent self-interest https://www.devsecopsdays.com/articles/trust-algorithm-applied-to-devsecops
- 21. 2 Easy for dev teams to know what the right thing is and easy to do it
- 23. After self-assessment ask the team to pick some to turn dark(er) green in the next quarter
- 24. 3 Management gets: Transparency of rollout status A mechanism to set goals
- 26. Many DevSecOps tools are just DevOps lipstick on a traditional tool pig DevSecOps tools talk Tomorrow 12:30-1pm Woodrow Wilson A
- 27. LinkedIn.com/in/LarryMaccherone What’s next? • DevSecOps tools talk tomorrow 12:30-1pm – Woodrow Wilson A • Read about the Trust Algorithm https://www.devsecopsdays.com/articles/ trust-algorithm-applied-to-devsecops • Connect with me LinkedIn.com/in/LarryMaccherone • Rate the talk in your app • Questions?