Securing the DevOps Landscape

Martyn Coupland

DevOps Technical Lead, Virgin Atlantic

Reality of data breaches

0

2

4

6

8

10

12

14

201

0

201

1

201

2

201

3

201

4

201

5

201

6

201

7

201

8

201

9

Records Lost Per Year

0

5

10

15

20

25

30

201

0

201

1

201

2

201

3

201

4

201

5

201

6

201

7

201

8

201

9

Breaches by Sensitivity

Email SSN Credit Card Health Full

Reality of data breaches

Tech

44%

Web

33%

Breaches Per Sector

Academic

App

Energy

Financial

Gaming

Government

Military

Healthcare

Legal

Media

Retail

Tech

Telecoms

Transport

Hacked

62%

Insider

6%

Lost Device

13%

Oops

6%

Poor Security

13%

Breaches by Method

Hacked Insider Lost Device Oops Poor Security Other

Reality of data breaches

0

2

4

6

8

10

12

14

16

18

20

Ha

cke

d

Insi

de

r

Lost

De

vic

e

Oo

ps!

Po

or

Se

cu

rity

Oth

er

Records Lost by Method

What have we learned

• Number of breaches and records lost per year is generally going up

• 62% of breaches are due to hacking

• 6% is due to mistakes

• 6% is due to insider jobs

• Although hacking accounts for nearly ⅔ of breaches, half the number of records are stolen

compared to poor security

• Lost devices account for 13% of breaches but only around 1% of record loss

• Tech firms are most at risk accounting for 44% of breaches and web based breaches next with

33%

• 70% of passwords are in the breaches charted

Summarising the data

Data: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Security comes first…

• Security comes in various forms, think about every angle

• With hacking so prevalent, secure all aspects of your platform, this includes your pipelines

• It should just be DevOps, not DevSecOps, think Security as a Service

• Shift security to the left

Don’t be headline news

Security comes first…

What hinders security innovation?

• Manual processes and culture

• Point in time assessments

• Traditional InfoSec “friction”

• Misunderstanding of context

• Political internal interference

• Fear of failure

• Lack of external thinking

Security is everyone’s responsibility…

The DevOps, Sec ratio

Numbers matter…

100 10 1Hard to

Find

The art of DevSecOps

DevSecOps

Security Engineering

Experiment, Automate,

Test

Security Operations

Hunt, Detect, Contain

Compliance Operations

Respond, Manage, Train

Security Science

Learn, Measure, Forecast

Security is and always has been a design constraint

If you can remember five things, let it be

these…

“Apps and data are as safe as

where you put it, what’s in it, how

you inspect it, who talks to it and

how it’s protected”

It must be built-in to be effective

Authentication

Logging

Asset Management

Zoning & Containment

Encryption

Security as code

• Paper policies do not stand up to constant

cloud evolution and lessons learned

• Translation from paper to code

and back lead to serious mistakes

• Traditional policies do not translate

to full stack deployments

• Lock your doors

• Badge in

• Authorised personnel only

• Background checks

• Choose strong passwords

• Use MFA

• Rotate API credentials

• Cross-account access

EVERYTHING

AS CODE

Clo

ud

Pro

vid

er

Da

ta

Ce

ntr

e

Continuous feedback

Product Team

FEEDBACK

Attack ActivityCustomer FeedbackMonitoringRegressionCI/CDUnit Tests

Security Team

SECURITY TESTING & DATA

Community

INTELLIGENCE

The journey to high fidelity feedback

Researchers

Red Team

Pen Test

Tooling

Threat Intel

IOCs

AI

Logs & Events

Bug Bounty

CorrelationCase

ManagementDeveloper

Backlog

Billions Millions Thousands Hundreds# Events

TB/Day

Workflow and Pipeline Actionable Features/Defects

Fact check

• Teams focusing on testing, detection and measuring progress have 30% fewer defects in

production

• MTTR is 5x faster then other teams

• Average of 98% CI/CD success

Great information, but does it work?

Five foundations

• Don’t measure at a team level, measure globally

Security's goal is to help the business achieve goals, avoid siloed thinking

• Measure outcomes vs outputs

Measuring work is not tied to tangible outcomes

• “Maturity Threshold”

Forget it, prioritise resilience over a notion of maturity

• Don’t miss the forest for the trees

Focusing on components too much can mean missing the bigger picture

• Don’t try to measure failure

Failure is inevitable, incentivizing failure avoidance is unrealistic at best