SlideShare a Scribd company logo

DevSecOps for Developers, How To Start (ETC 2020)

Patricia Aas
Patricia Aas

How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture? Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.

1 of 72
Download to read offline
Turtle Sec @pati_gallardo
Turtle Sec @pati_gallardo My first real tech job
Dev[Sec]Ops for Developers How To Start European Testing Conference 2020 Patricia Aas Turtle Sec @pati_gallardo
Patricia Aas - Consultant Turtle Sec C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/her @pati_gallardo
@pati_gallardo 5 Quality @pati_gallardo
@pati_gallardo Accelerate, Nicole Forsgren PhD, Humble and Kim: “Our research shows that building security into software development not only improves delivery performance but also improves security quality. Organizations with high delivery performance spend significantly less time remediating security issues.” @pati_gallardo 6
@pati_gallardo “improves security quality” Security is a Quality Metric @pati_gallardo 7
@pati_gallardo Vulnerability @pati_gallardo 8
@pati_gallardo Bug Vulnerability Exploit If a bug can be exploited... ...then it is a vulnerability @pati_gallardo 9What is a Vulnerability?
@pati_gallardo Exploit Write Read Execute Information Leaks Intelligence Gathering Remote Code Execution Privilege Escalation Denial of Service Planting of Shellcode @pati_gallardo 10What does an Exploit do?
@pati_gallardo The Target The Exploit@halvarflake Weird State Weird State Exploitation: The Weird Machine Bug/ Vulnerability @sergeybratus @pati_gallardo 11
@pati_gallardo 12 There is an artificial line between security testing and other types of testing
@pati_gallardo 13 Vulnerabilities are Bugs
@pati_gallardo Culture @pati_gallardo 14
@pati_gallardo Looking for Zebras @pati_gallardo 15
@pati_gallardo “In medical school, you are taught that if, metaphorically, there is the sound of hoofbeats pounding towards you then it’s sensible to assume they come from horses not zebras [...] With House it’s the opposite. We are looking for zebras.” ‘Dr Lisa Sanders’ in ‘House M.D.’ @pati_gallardo 16
We tend to classify problems based on the problems we are used to. This stops us from understanding folks that deal with different classes of problems. @pati_gallardo 17
@pati_gallardo Cynefin Framework by Dave Snowden @pati_gallardo 18
Cynefin Framework by Dave Snowden https://cognitive-edge.com/blog/liminal-cynefin-image-release/ 19
Complex Complicated ObviousChaotic Discover Engineer Stabilize Automate Fixing things Cynefin Framework by Dave Snowden Crisis Emergent Novel Best Good 20
Cynefin Framework by Dave Snowden DevOps Complex Complicated ObviousChaotic Probe Prototyping Analyze Development Auto Deploy Creativity Skill Automation Not critical Critical Incident Response 21
Complex Complicated ObviousChaotic Act Put out fires Probe Analyze Auto Investigate Remediate Change Incident in Prod Cynefin Framework by Dave Snowden 22
Complex Complicated ObviousChaotic Cynefin Framework by Dave Snowden Security Act Fuzzing Probe Analyze Auto Debugging Exploit dev Metasploit 23
Complex Complicated ObviousChaotic Probe Making the Right System Analyze Making the System Right A/B Testing TDD Chaos Monkey Static Analysis Testing Cynefin Framework by Dave Snowden 24
@pati_gallardo Dev[Sec]Ops @pati_gallardo 25
@pati_gallardo Coding Building Testing Manual Security Gate Keeping Monitoring Simplified Pre-DevOps Deployment Workflow @pati_gallardo But you have to get out of the Critical Path? 26
@pati_gallardo - We have no “Security Team” 1 security person per 10 ops people per 100 developers* *Accelerate, Forsgren PhD, Humble and Kim Manual security review does not scale @pati_gallardo 27
@pati_gallardo Coding IDE Plugins Static Analysis Building Testing Scanning Monitoring Alerts Dashboards Dynamic Analysis Dependency Checks Warnings Commit hooks Simulations Fuzzing @pati_gallardo 28
@pati_gallardo Risk Modeling 29
@pati_gallardo 30 Company Killer What are you really afraid of? What kind of event could put you out of business?
@pati_gallardo 31 Pre-mortem Your worst headline is in the newspaper, how did this happen?
@pati_gallardo External Entity Data Store Trust Boundary Data Flow Trust Boundary Trust Boundary Data Store Process Backend Process External Entity Browser/App Data Flow Data Flow Diagram Data Flow 32
@pati_gallardo Hacks 33
Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 34
1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 35
Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 36
@pati_gallardo Bootstrapping Tooling @pati_gallardo 37
Use your issue tracker Use your chat Use your monitoring Use your dashboards Integrate into your tools Live Off the Land @pati_gallardo Bootstrapping Tooling 38
1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 39
Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 40
Bootstrapping Manpower @pati_gallardo 41
Use the devs to build integrations Find ways to justify it Dual purpose: Stability and Security Have Devs Build It @pati_gallardo Bootstrapping Manpower 42
1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 43
Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 44
Bootstrapping Security Reviews @pati_gallardo 45
Trunk-based development Small commits Add security to peer-review Add threat modeling to peer-review Feature toggles Use feature toggles for A/B testing Bootstrapping Security Reviews Trunk-based Development 46@pati_gallardo
1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 47
Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 48
@pati_gallardo Bootstrapping Incident Response @pati_gallardo 49
Have a Hotline security@example.com https://example.com/.well-known/security.txt 50@pati_gallardo
External Vulnerability Report Flow Bug Report Vulnerability Report Social Media QA Security Marketing Triage No bug Bug Vulnerability 51@pati_gallardo
Use Existing Crisis Process for Incident Response 52@pati_gallardo
@pati_gallardo@pati_gallardo You Know How To Handle A Crisis 53
Separate priority in bug-tracker Separate channel in Slack Security Engineer side-duty Simple procedure How will people get paid in off-hours? Bootstrapping Incident Response Security Improvements to Existing Crisis Process 54@pati_gallardo
1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 55
TurtleSec Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 56
@pati_gallardo Bootstrapping Automation @pati_gallardo 57
Add IDE plugins Add dependency scanner in CI/CD Add scanners in CI/CD Dynamic scan in a non-blocking pipeline All results in dev visualization Automate as Much as Possible Bootstrapping Automation 58@pati_gallardo
Coding IDE Plugins Static Analysis Building Testing Scanning Monitoring Alerts Dashboards Dynamic Analysis Dependency Checks Warnings Commit hooks Simulations Fuzzing 59@pati_gallardo
1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 60
TurtleSec Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 61
@pati_gallardo Bootstrapping Auditability @pati_gallardo 62
Fully Automated Pipeline Configuration Management Know what you’re running Auditable Bootstrapping Auditability Infrastructure as Code 63@pati_gallardo
1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 64
@pati_gallardo Incremental Security @pati_gallardo 65
@pati_gallardo Teach everyone what to look for Use their Tooling and their Dashboards Fast, stable, automated tests in the Critical Path Use the existing Crisis Process for Incidents Have slower tests off the Critical Path Incremental, Layered, Security 66
@pati_gallardo Learn @pati_gallardo 67
Complex Complicated ObviousChaotic Act Put out fires Probe Analyze Auto Investigate Remediate Change Incident in Prod Cynefin Framework by Dave Snowden 68
1. Preparation6. Lessons Learned 5. Recovery 4. Eradication 2. Identification 3. Containment Phases of Incident Response¹ ¹Incident Handler’s Handbook, SANS Institute https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 @pati_gallardo 69
70 Practice “We don't rise to the level of our expectations, we fall to the level of our training.” Greek lyrical poet, Archilochus Accident or Breach? Does it matter? @pati_gallardo
@pati_gallardo Turtle Sec @pati_gallardo
Turtle Sec Questions? Photos from pixabay.com Patricia Aas, TurtleSec @pati_gallardo

More Related Content

DevSecOps for Developers, How To Start (ETC 2020)