25
1 DevSecOps BUILDING RUGGED SOFTWARE SHANNON LIETZ Copyright © DevSecOps Foundation 2015-2016

DevSecOps - Building Rugged Software

Embed Size (px)

Citation preview

Page 1: DevSecOps - Building Rugged Software

1

DevSecOpsBUILD ING RUGGED SOFTWARE

SHANNONLIETZ

Copyright ©DevSecOpsFoundation 2015-2016

Page 2: DevSecOps - Building Rugged Software

2 Copyright ©DevSecOpsFoundation 2015-2016

What’sHappeningintheWorld?

• DEVOPS• PUBLICCLOUD• AGILE• SCRUM• LEAN• LOW-CODE• NO-CODE• NOOPS• …

https://www.google.com/trends/

Page 3: DevSecOps - Building Rugged Software

3 Copyright ©DevSecOpsFoundation 2015-2016

AHistoryLesson– GoogleTrendsResearch

• SeveralyearsaftertheAgileManifesto,DevOps.comwasregisteredin2004• Googlesearchesfor“DevOps”startedtorisein2010• Majorinfluences:

• SavingyourInfrastructure fromDevOps/ChicagoTribune• DevOps:ACultureShift,NotaTechnology/InformationWeek• DevOps:ASharder’s TalefromEtsy• DevOps.com articles

• RuggedSoftware.org wasregisteredin2010• Asof2013, DevSecOps isonthemap…

Page 4: DevSecOps - Building Rugged Software

4 Copyright ©DevSecOpsFoundation 2015-2016

Who’sdoingEnterpriseDevOps?

Page 5: DevSecOps - Building Rugged Software

5 Copyright ©DevSecOpsFoundation 2015-2016

What’sthebusinessbenefit?

Businessstrategyisachievedwiththecollaboration ofalldepartmentsand

providersinservicetothecustomer whorequiresbetter,faster,cheaper,secure

productsandservices.

Page 6: DevSecOps - Building Rugged Software

6 Copyright ©DevSecOpsFoundation 2015-2016

WhatHindersSecureInnovation?

1. Manualprocesses&meetingculture

2. Pointintimeassessments

3. Frictionforfriction’ssake

4. Contextualmisunderstandings

5. Decisionsbeingmadeoutsideofvaluecreation

6. Lateconstraintsandrequirements

7. Bigcommitments,bigteams,andbigfailures

8. Fearoffailure,lackoflearning

9. Lackofinspiration

10. Managementandpoliticalinterference(approvals,exceptions)

...

Page 7: DevSecOps - Building Rugged Software

7 Copyright ©DevSecOpsFoundation 2015-2016

SayWhat??!!

http://donsmaps.com/images22/mutta1200.jpg

Page 8: DevSecOps - Building Rugged Software

8 Copyright ©DevSecOpsFoundation 2015-2016

• Innovation isacompetitiveadvantage• Cloud hasleveledtheplayingfield• DemandforCustomercentricproductdevelopment• Continuousdeliveryoffeaturesandchanges• Newgenerationofworkersdesirecollaboration• Speedandscalearenecessarytohandledemand• Integration overinventiontospeedupresults• Securitybreachesareontherise• Peopledesiretoworkwithgreaterautonomy...• ContinuousLearning...HowcanIdobetter?&better?

TheNeedforChange

commons.wikimedia.org

Page 9: DevSecOps - Building Rugged Software

9 Copyright ©DevSecOpsFoundation 2015-2016

CultureHacking

Traditional Security

Security isEveryone’s

Responsibility

DEVSECOPS

Page 10: DevSecOps - Building Rugged Software

10 Copyright ©DevSecOpsFoundation 2015-2016

TheArtofDevSecOps

DevSecOps

SecurityEngineering

Experiment,Automate,Test

SecurityOperations

Hunt,Detect,Contain

ComplianceOperations

Respond,Manage,Train

SecurityScience

Learn,Measure,Forecast

Page 11: DevSecOps - Building Rugged Software

11

TheSecureSoftwareSupplyChain• GatingprocessesarenotDeming-like• Securityisadesignconstraint• Decisionsmadebyengineeringteams

• Hardtoavoidbusinesscatastrophesbyapplyingone-size-fits-allstrategies

• Securitydefectsismorelikeasecurity“recall”

design build deploy operate

Howdo Isecuremyapp?

Whatcomponentissecureenough?

Howdo Isecuresecretsforthe

app?

Ismyappgettingattacked?How?

Typicalgatesforsecurity

checks&balances

Mistakesanddriftoftenhappenafterdesignandbuild phases that

resultinweaknesses andpotentiallyexploits

MostcostlymistakesHappenduringdesign

Fastersecurityfeedbackloop

Copyright ©DevSecOpsFoundation 2015-2016

Page 12: DevSecOps - Building Rugged Software

12 Copyright ©DevSecOpsFoundation 2015-2016

FromaTraditionalSupplyChain…

Whenwillyousolvemyproblem?!! Canwediscussmyfeedback?Didwepassthe98point inspection?

ThankstoHenrikKniberg

Page 13: DevSecOps - Building Rugged Software

13 Copyright ©DevSecOpsFoundation 2015-2016

ToaCustomerCentricSupplyChain

ThankstoHenrikKniberg

Awesome!WhencanIbringmykidswithme?DoesitcomeinRed?

Canthisbemotorizedtogofasterandforlongertrips?

Betterthanwalking,forsure…butnotbymuch...

SecuritymustshiftleftwithaScienceMindsetlikeallotherOps…

Page 14: DevSecOps - Building Rugged Software

14 Copyright ©DevSecOpsFoundation 2015-2016

ShiftingSecuritytotheLeftmeansbuilt-in

design build deploy operate

Howdo Isecuremyapp?

Whatcomponentissecureenough?

Howdo Isecuresecretsforthe

app?

Ismyappgettingattacked?How?

Typicalgatesforsecurity

checks&balances

Mistakesanddriftoftenhappenafterdesignandbuild phases that

resultinweaknesses andpotentiallyexploits

MostcostlymistakesHappenduringdesign

Fastersecurityfeedbackloop

SecurityisaDesignConstraint

Page 15: DevSecOps - Building Rugged Software

15

• EveryoneknowsMaslow…• Ifyoucanremember5things,rememberthese->

“Apps&dataareassafeaswhereyouputit,what’sinit,howyouinspect it,whotalkstoit,andhowitsprotected…”

Copyright ©DevSecOpsFoundation 2015-2016

SecurityisandhasalwaysbeenaDesignConstraint…

Page 16: DevSecOps - Building Rugged Software

16 Copyright ©DevSecOpsFoundation 2015-2016

ButPleaseNoChecklists&SavetheTrees!!

Page 3of 433Xdeforestation:https://www.flickr.com/photos/foreignoffice/3509228297

Page 17: DevSecOps - Building Rugged Software

17

SecurityGovernanceTransparencyviaContinuousImprovement

https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf

Page 18: DevSecOps - Building Rugged Software

18 Copyright ©DevSecOps Foundation 2015-2016

SecurityasCode/EverythingasCode

• Paper-residentpoliciesdonotstanduptoconstantcloudevolutionandlessonslearned.

• Translationfrompapertocodeandbackcanleadtoseriousmistakes.

• Traditionalsecuritypoliciesdonot1:1translatetoFullStackdeployments.

DataCe

nter

Clou

dProvider

Network

• LOCKYOURDOORS• BADGEIN• AUTHORIZEDPERSONNELONLY• BACKGROUNDCHECKS

• CHOOSESTRONGPASSWORDS• USEMFA• ROTATEAPICREDENTIALS• CROSS-ACCOUNTACCESS

EVERYTHINGASCODE

Page 3of 433

Page 19: DevSecOps - Building Rugged Software

19 Copyright ©DevSecOpsFoundation 2015-2016

ExampleofContinuousDelivery+Security

SourceCode CIServer Artifacts MonitoringDeployTest&Scan

DevOpsCode- CreatingValue&Availability

DevSecOps Code- CreatingTrust&Confidence

Page 20: DevSecOps - Building Rugged Software

20 Copyright ©DevSecOpsFoundation 2015-2016

ContinuousFeedback

THEFEEDBACKHIGHWAY

PRODUCTSCRUMTEAM

THEINTELHIGHWAY

SECURITYTESTING&DATAPLATFORMSECURITYTEAM SECURITYCOMMUNITY

Page 21: DevSecOps - Building Rugged Software

21 Copyright ©DevSecOpsFoundation 2015-2016

ContinuousSecurityEngineering&Science

Monitor&InspectEverything

insightssecuritysciencesecurity

tools&data

Cloudaccounts

S3

Glacier

EC2

CloudTrail

ingestion

threatintel

securityfeedbackloop continuous response

Page 22: DevSecOps - Building Rugged Software

22

RedTeam,SecurityOperations&Science

APIKEY EXPOSURE ->8HRS

DEFAULT CONFIGS ->24HRS

SECURITY GROUPS ->24HRS

ESCALATION OF PRIVS ->5D

KNOWN VULN ->8HRS

Copyright ©DevSecOpsFoundation 2015-2016

Page 23: DevSecOps - Building Rugged Software

23

SecurityDecisionSupport

Copyright ©DevSecOpsFoundation 2015-2016

Page 24: DevSecOps - Building Rugged Software

24

ThisCouldBeYourMeanTimetoResolution…

Copyright ©DevSecOpsFoundation 2015-2016

MTTR

Days… 6months

Page 25: DevSecOps - Building Rugged Software

25 Copyright ©DevSecOpsFoundation 2015-2016

GetInvolvedandJointheCommunity

• devsecops.org• @devsecopsonTwitter• DevSecOpsonLinkedIn• DevSecOpsonGithub• RuggedSoftware.org• ComplianceatVelocity


DevSecOps SG Introduction - August Meetup

DevSecOps SG Introduction - August Meetup

Technology
DevSecOps Best Practices and Considerations

DevSecOps Best Practices and Considerations

Documents
Building Hybrid Rugged Systems Using a Mix of … - Alligator... · Building Hybrid Rugged Systems Using a Mix of Applicable Embedded Standards Bill Ripley Alligator Designs Bill.Ripley@AlligatorDesigns.com

Building Hybrid Rugged Systems Using a Mix of … - Alligator... · Building Hybrid Rugged Systems Using a Mix of Applicable Embedded Standards Bill Ripley Alligator Designs [email protected]

Documents
DoD Enterprise DevSecOps Community of Practice · 2021. 6. 29. · ECMA and Army Software Factory's DevSecOps ... Project Ridgway are users of the DevSecOps ecosystem. 7. ... Continuous

DoD Enterprise DevSecOps Community of Practice · 2021. 6. 29. · ECMA and Army Software Factory's DevSecOps ... Project Ridgway are users of the DevSecOps ecosystem. 7. ... Continuous

Documents
DevSecOps Fundamentals Playbook

DevSecOps Fundamentals Playbook

Documents
Embracing DevSecOps to support Rugged Innovation at Speed and

Embracing DevSecOps to support Rugged Innovation at Speed and

Documents
NHBC equips Building Inspectors with rugged Panasonic ......2019/03/19  · NHBC, the UK's leading home warranty and insurance provider, has equipped its Building Inspectors with rugged

NHBC equips Building Inspectors with rugged Panasonic ......2019/03/19  · NHBC, the UK's leading home warranty and insurance provider, has equipped its Building Inspectors with rugged

Documents
Rugged Maniac 5k Obstacle Race & Mud Run - BUILDING TEAMS … · Rugged Maniac is easily accessible from anywhere in North America. Rugged Races LLC • 45 Bromfield St, Suite 801,

Rugged Maniac 5k Obstacle Race & Mud Run - BUILDING TEAMS … · Rugged Maniac is easily accessible from anywhere in North America. Rugged Races LLC • 45 Bromfield St, Suite 801,

Documents
DEVSECOPS FOR HYBRID CLOUD

DEVSECOPS FOR HYBRID CLOUD

Documents
GOTOldn15 Rugged Building Materials and Creating Agility ...gotocon.com/dl/goto-london-2015/slides/DavidEtue_RuggedBuilding... · Rugged Building Materials and Creating Agility with

GOTOldn15 Rugged Building Materials and Creating Agility ...gotocon.com/dl/goto-london-2015/slides/DavidEtue_RuggedBuilding... · Rugged Building Materials and Creating Agility with

Documents
DevSecOps Insights - Snyk

DevSecOps Insights - Snyk

Documents
DevSecOps in 10 minutes

DevSecOps in 10 minutes

Software
DoD Enterprise DevSecOps Fundamentals · 2021. 6. 11. · DevSecOps, including normalized definitions of DevSecOps concepts. Other pertinent information is captured in corresponding

DoD Enterprise DevSecOps Fundamentals · 2021. 6. 11. · DevSecOps, including normalized definitions of DevSecOps concepts. Other pertinent information is captured in corresponding

Documents
DevSecOps - The big picture

DevSecOps - The big picture

Technology
DevSecOps Journey - CSO50 Conference · DevSecOps Journey 2/28/2018. 3/3/2018 Confidential –Internal Distribution 2 Agenda • DevSecOps @ Fannie Mae o The Challenges and The Promises

DevSecOps Journey - CSO50 Conference · DevSecOps Journey 2/28/2018. 3/3/2018 Confidential –Internal Distribution 2 Agenda • DevSecOps @ Fannie Mae o The Challenges and The Promises

Documents
DevSecOps and the Public Sector

DevSecOps and the Public Sector

Documents
DevSecOps of Containerization

DevSecOps of Containerization

Documents
PLATAFORMA FT DEVSECOPS - UdeA

PLATAFORMA FT DEVSECOPS - UdeA

Documents
Introduccion a devops y devsecops

Introduccion a devops y devsecops

Technology
Enterprise Cloud Security via DevSecOps

Enterprise Cloud Security via DevSecOps

Documents
DevSecOps in Multi Account

DevSecOps in Multi Account

Technology
Putting the Sec in DevSecOps

Putting the Sec in DevSecOps

Documents
2016 - Rugged computers for tough environments.€¦ · of rugged handhelds and tablets, ... of building a leading company in the worldwide rugged industry, ... the United States,

2016 - Rugged computers for tough environments.€¦ · of rugged handhelds and tablets, ... of building a leading company in the worldwide rugged industry, ... the United States,

Documents
DevSecOps – Security at the speed of Developmenttechworld.event.idg.se/wp-content/uploads/sites/15/... · Source: Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed

DevSecOps – Security at the speed of Developmenttechworld.event.idg.se/wp-content/uploads/sites/15/... · Source: Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed

Documents
DevOps, DevSecOps, and vArmour - Whitepaper DevSecOps, and... · DevOps and DevSecOps DevOps has become a well established practice within many organizations. It aims to improve the

DevOps, DevSecOps, and vArmour - Whitepaper DevSecOps, and... · DevOps and DevSecOps DevOps has become a well established practice within many organizations. It aims to improve the

Documents
DoD Enterprise DevSecOps Fundamentals - AF

DoD Enterprise DevSecOps Fundamentals - AF

Documents
Overcoming DevSecOps Challenges

Overcoming DevSecOps Challenges

Documents
DevSecOps – Agility with Security...4 DevSecOps – Agility with Security In summary, DevSecOps aims to be a movement that extends all of the organisational benefits achieved through

DevSecOps – Agility with Security...4 DevSecOps – Agility with Security In summary, DevSecOps aims to be a movement that extends all of the organisational benefits achieved through

Documents
Presentation: DoD Enterprise DevSecOps Initiative

Presentation: DoD Enterprise DevSecOps Initiative

Documents
The Journey to DevSecOps

The Journey to DevSecOps

Technology