Finding Security a Home in a DevOps World @devsecops http://devsecops.org
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Finding Security a Home in a DevOps World
@devsecops
http://devsecops.org
Who I am
• 25+ yrs Technology & Security
• Background in Security R&D
• Working with the Cloud before it was called “The Cloud”
• Manage my teams using DevOps & Scrum
• Big Scale IR & Crisis Management
-- FOUNDER --
Why I‘m @ DevOps Summit
• Awesome Venue to talk to like-minded individuals
• Increase viability through collaboration
• Customer Research & Feedback
• Because DevOps Summit Rocks!!
How can Security enable a DevOps World?
Here’s how to listen if you are a…
Your Role Your Interest
DevOps Less Friction, Faster Decisions
Security Value Creation
Management Faster Delivery of Customer Features with Better Security
Are you tired of the Traditional Security grind? Is Security preventing your DevOps success?
• Double-click installer
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
• Click "Next"
Page 3 of 267
Security Configuration Procedures V 3.6.0.1.1, January 2011
Frozen in Time
Is bureaucracy getting in the way of Continuous Deployments and Real Security?
Why does it take so long for features?
?
YOU YOUR CUSTOMER
CISO
Hopefully it’s not going to be
another round of “No’s”…
Does it feel like a Waste of Time?
!
Making you feel like this….
Bang Head Here
Because you want to fulfill on these promises….
KEEP CUSTOMER DATA SAFE!!! JOB #1
=
SOLVE CUSTOMER PROBLEMS!!! JOB #2
=
BUT what if you could make good security decisions with guidelines like these?
On-Prem Partial On-Prem Outsource w/ No Indemnif.
Outsource w/ Part.Indemnif.
Outsource w/ Full Indemnif.
Who is responsible? IN
TER
NA
L You You You You + Partner Partner
PAR
TNER
S
Which minimal controls are needed?
Physical Security; Secure Handling &
Disposal
File or Object Encryption for Sensitive Data;
Physical Security; Secure Handling &
Disposal
File or Object Encryption for Sensitive Data;
Partner Security; SOC Attestation
File or Object Encryption for Sensitive Data;
Partner Security; SOC Attestation
Partner Security Controls; SOC
Attestation
Where does data transit and get stored?
company “owned” data center or co-
location
any compute & transit; data stored
on-prem
public cloud; free services
SaaS; public cloud; free services; private cloud
managed services; SaaS; private cloud
What are the innovation benefits?
reduced latency; search sensitive
data
speed; reduced friction; search sensitive data
speed; reduced friction; evolving
patterns; community
speed; reduced friction; evolving
patterns; community
speed; reduced friction;
indemnification
What are the potential risks?
SQL Injection; Internal Threats;
Mistakes; Phishing; Increased Friction;
Slow
Latency; SQL Injection; Internal Threats; Mistakes; Phishing; Increased
Friction; Slow
Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes;
Phishing; Govt. Requests Unknown; Reduced Financial
responsibility
Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes;
Phishing; Govt. Requests Unknown
Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes;
Phishing; Govt. Requests Unknown
Because your Security Team does this:
DevSecOps
Security Engineering
Experiment, Automate, Test
Security Operations
Hunt, Detect, Contain
Compliance Operations
Respond, Manage, Train
Security Science
Learn, Measure, Forecast
And this…
Pull Push
Source Code
Repository
Baseline
IAM Catalog
Trusting BU Accounts
SecRole
IAM Role
Develop Review Test Approve Commit
Ruby
AKID/SAK
1 2
Admin
3
5
STS
Creds
4
Using these tools…
insights
security science
security tools & data
AWS accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel
And these…
Central Account (Trusted)
Admin
IAM IAM IAM IAM IAM IAM
SecRole SecRole SecRole SecRole SecRole SecRole
IAM
How did we decide which roles would be deployed? • Human
• IAM Admin • Incident Response • Read Only
• Services • IAM Grantor • Instance Roles required to support security
services • Read Only
And these…
$ bundle exec bin/tk help config Usage: tk config Options: -i, [--interactive], [--no-interactive] # interactive mode for q&a to set up config -p, [--profile-name=PROFILE_NAME] # profile name in .aws config file -r, [--master-region=MASTER_REGION] # region for master account # Default: us-west-2 -a, [--master-account=MASTER_ACCOUNT] # 12 digit AWS account number without dashes -n, [--master-role-name=MASTER_ROLE_NAME] # name of master role to assume cross-account roles # Default: master-auditor -t, [--target-account-list=TARGET_ACCOUNT_LIST] # location for csv file containing accounts list to audit # Default: config/accounts.csv -d, [--output-dir=OUTPUT_DIR] # directory for storing results # Default: home -f, [--output-type=OUTPUT_TYPE] # supports csv # Default: csv Description: Using the devsecops toolkit requires a master configuration file to establish the credentials, role, MFA, etc. used to support cross-account usage. This command provides you with an interactive and advanced interface for creating a configuration file to support your usage. The configuration file can be found in your home directory under .tk/config and you can also hand edit this file using yaml.
Experimenting like this:
Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection
via Security Operations
Experiment: Compliance
via DevSecOps
toolkit
Experiment: Science via
Profiling
DevOps + Security
DevOps + DevSecOps
Compliance Operations?
Science?
Start Here?
So that Security can be simple like this…
And you can improve the security of your app via Self-Service….
And you can collaborate like this…
So that you and your customers can feel like this…
With monitoring like this…
So you and your customers can sleep like this…
Z Z
Z
What if Security were MORE than just friction?
What if our experimentation helped us determine that we might have fewer of these…
STOP THE DATA BREACHES!!!
If we did more of this…
RED TEAM HACK DAYS
INCIDENT DRIVEN DEVELOPMENT METRICS
LEAN
EXPERIMENTS
DEVOPS
And less of this… Because it doesn’t work…
• Manual Reviews
• Paper Threat Modeling
• Gating Processes
• Approvals & Exceptions
• Reactive Incident Response
• Theoretical Evaluations
• F.U.D.
What would you do with all your free time?
Isn’t it time for you to demand a better world for DevOps?
Join the Community:
@devsecops
http://devsecops.org
LinkedIn: DevSecOps
Related Documents
