Is there room for SecArch in DevSecOps? (or can old dogs perform new tricks?) Dimitrios Petropoulos 26 April 2018
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IsthereroomforSecArchinDevSecOps?(orcanolddogsperformnewtricks?)
DimitriosPetropoulos
26April2018
$cut-f5-d:/etc/passwd|grep-ipetropoulos
• DimitriosPetropoulos
• Cryptographerbyeducation(nobody’sperfect)• SecurityArchitect(&pastsecuritydeveloper)bytrade• Havebeenbreaking&mendingthingsforoverathirdofacentury
this.Presentation
• …containsquestions–notanswers…• Majorityofpointsinthispresentationare
• Personalconclusionsafterhavingworkedwithnumerousorganisationsandtriedtoextractcommonpatternsofbehaviourandtrends
• conjectures(inthemathematicalsenseoftheword,i.e.unprovenpropositionswhichappearcorrect)
• Basedonrelativelyrecentmindset
• Mightbecontroversial…• Don’texpectyoutoagreewithme
<Rant>
Constantchange&unityofopposites
“Ταπάνταρεί”*(everythingflows)
“Πόλεμοςπατήρπάντων”(war/struggleisthefatherofall)
Heraclitus(c.535–c.475BC)
*-andFrancescoGabbaniinOccidentali’sKarma
Thebravenewworld
Theopportunity:
• Cloud• *aaS• Automation
• AI• BigData• …
Therequirements(&benefits):
• Agility(↑)
• Speed(↑)
• Scalability(↑)
• Cost(↓)
Thechallengeis:‘security’
Source:https://www.sumologic.com
ThebirthofDevSecOps
• Intimeswherespeedandagilityarethenameofthegame,security:• cannotslowdownbusiness…• …butcannotbeoverlooked
• Theanswer(allegedly)comesfromautomation
Itallstartedhere…
Whatdoesthis‘Sec’mean?
The‘Sec’in‘DevSecOps’
• ApplicationSecurityTesting• SAST• DAST• IAST
• Infrastructure/PlatformVulnerabilityScanning• Platformconfiguration&compliance• Deploymentofcontrols
• Firewalling,micro-segmentation• WAFs,DBSGs,etc.• RASP
• Identity&AccessManagement• …
Automated&programmaticallyprovisioned
Wheredoes‘SecArch’fitinallthis?
IsSecArchsuperfluous?
• Wedidn’tgetsoftware‘right’intheeraofrigider(stricter?)SDLCparadigms–dowestandabetterchanceintheseagiletimes?• CanDevOpsmakeadifference?• CanDevSecOpsmakeadifference?
• Theyareastepintherightdirection• Facilitating(i.e.automating)unwanted(i.e.security)taskscanonlyhelp
• ButtheycannotreplaceSecArch
WebAppSecArch(example)
InfraSecArchevolution(example)[1]
Internet
InternetF/W
InternalF/W
TrustZoneA-VirtualisedServer
vSwitch
VM VM VM
vSwitch
VM VM VM
vSwitch
VM VM VM
vSwitch
VM VM VM
TrustZoneB-VirtualisedServer
TrustZoneC-VirtualisedServer TrustZoneD-VirtualisedServer
HypervisorHypervisor
Hypervisor Hypervisor
InfraSecArchevolution(example)[2]
‘*asCode’
• InfrastructureasCode• SecurityasCode• …
• Canwedetermine(letaloneachieve)theobjectiveswithoutsoundSecArch?• Manifestosalone(ruggedastheymaybe)arenotenough…• Godhelpus…
• SecDevOps’reachisnotbroadordeepenough…• It’snotearlyenoughinthelifecycle…
ArchitectureStrategy&Governance
CyberDefence
Operations
Verification
Construction
Policy&
Standards
Compliance&
Metrics
Architecturecomesfirst…
Dev
OpsSec
Don’tsayIdidn’twarnyou…
• XY+XZ=• SecDev+SecOps=
X(Y+Z)Sec(Dev+Ops)
Nowthatσ(Dev,Sec,Ops)hasfreedusfromthechainsofthemundane,canwefocusandspendmoretimeonsomethingthatreallymatters?
</Rant>
Thankyouforyourattention!
Timeforquestions…
https://www.linkedin.com/in/dpetropoulos/
Related Documents
