Lazy hackers who think out of the box, but stay in the box...

Freek KauffmannSecurity Consultant ITQ S-Unit

Lazy hackers who think out of the box, but stay

in the box...

Freek Kauffmann

• Nerd• DevOps Engineer• Security Consultant• Business Developer• Senior Coach• Business Unit Manager

Defense Offence

Bolt on Integrated

Role Team

Awareness DNA

Vision on IT security

”Hackers” defined

• There are many definitions.• “Hacking” defined for this

presentation:

”Technical security specialists who are hired to apply their offensive mind-set to improve digital resilience.”

Hackers & DevOps Engineers:similarAnimals of the same type:• Highly skilled• Highly creative• Allergic to doing the same thing trice,

hence, lazy.• Love complex problems

Testing

User acceptance

Development

Production

50% 30% 15% 5%

Intrinsically improving security

Testing

User acceptance

Development

Production

Non-stop pentesting (infrastructure & application)

50% 30% 15% 5%

Intrinsically improving security

Testing

User acceptan

ce

Development

Production

Non-stop pentesting (infrastructure & application)

50% 10% 9% 1% 30%

Intrinsically improving security

Testing

User acceptan

ce

Development

Production

Non-stop pentesting (infrastructure & application)

50% 10% 9% 1%

Code review

Architecture review

DevOps

30%

Non-stop Offensive Security

Monitoring• Adding new tests continuously.• Non-stop verification of previous

findings.• Executing security tests

automatically at every commit.• Integrated in continuous delivery

tooling & processes.

Less time spent on:

• Pre-sales from external suppliers• Initiating projects• Infrastructure pentesting• Doing (boring) stuff manually

Allows for:

• More time for fun creative work• More time for application pentesting• More time for automating security

testing

• Saving cost• Lowering operational risk

Hackers & DevOps Engineers:

Similar, yet different

DevOps Team Red Team

Red Team

• Build to break• Independent• Hack to destroy• Specialists (security)• Outward focus (monitoring trends)• Want root

DevOps Team

• Build to last• Interdependent• Hack to create• Generalists • Inward focus (getting changes to

production)• Are root

Think inside the box…

DevOps engineer

Think out of the box…

DevOps engineer

Out of the box thinking

Think out of the box…

DevOps engineer

Out of the box thinking

Think out of the box…

DevOps engineer

Out of the box thinking

Think out of the box…

DevOps engineer

Out of the box thinking

Back in the box

But stay in the box!

• Technology– Using same tooling

• Processes– Seamlessly joining in existing processes

• People– Close cooperation between builders &

breakers

Questions?

Freek KauffmannITQ S-Unit

+316 457 61 857