Is there room for SecArch in DevSecOps? (or can old dogs perform new tricks?) Dimitrios Petropoulos 26 April 2018
IsthereroomforSecArchinDevSecOps?(orcanolddogsperformnewtricks?)
DimitriosPetropoulos
26April2018
$cut-f5-d:/etc/passwd|grep-ipetropoulos
• DimitriosPetropoulos
• Cryptographerbyeducation(nobody’sperfect)• SecurityArchitect(&pastsecuritydeveloper)bytrade• Havebeenbreaking&mendingthingsforoverathirdofacentury
this.Presentation
• …containsquestions–notanswers…• Majorityofpointsinthispresentationare
• Personalconclusionsafterhavingworkedwithnumerousorganisationsandtriedtoextractcommonpatternsofbehaviourandtrends
• conjectures(inthemathematicalsenseoftheword,i.e.unprovenpropositionswhichappearcorrect)
• Basedonrelativelyrecentmindset
• Mightbecontroversial…• Don’texpectyoutoagreewithme
<Rant>
Constantchange&unityofopposites
“Ταπάνταρεί”*(everythingflows)
“Πόλεμοςπατήρπάντων”(war/struggleisthefatherofall)
Heraclitus(c.535–c.475BC)
*-andFrancescoGabbaniinOccidentali’sKarma
Thebravenewworld
Theopportunity:
• Cloud• *aaS• Automation
• AI• BigData• …
Therequirements(&benefits):
• Agility(↑)
• Speed(↑)
• Scalability(↑)
• Cost(↓)
Thechallengeis:‘security’
Source:https://www.sumologic.com
ThebirthofDevSecOps
• Intimeswherespeedandagilityarethenameofthegame,security:• cannotslowdownbusiness…• …butcannotbeoverlooked
• Theanswer(allegedly)comesfromautomation
Itallstartedhere…
Whatdoesthis‘Sec’mean?
The‘Sec’in‘DevSecOps’
• ApplicationSecurityTesting• SAST• DAST• IAST
• Infrastructure/PlatformVulnerabilityScanning• Platformconfiguration&compliance• Deploymentofcontrols
• Firewalling,micro-segmentation• WAFs,DBSGs,etc.• RASP
• Identity&AccessManagement• …
Automated&programmaticallyprovisioned
Wheredoes‘SecArch’fitinallthis?
IsSecArchsuperfluous?
• Wedidn’tgetsoftware‘right’intheeraofrigider(stricter?)SDLCparadigms–dowestandabetterchanceintheseagiletimes?• CanDevOpsmakeadifference?• CanDevSecOpsmakeadifference?
• Theyareastepintherightdirection• Facilitating(i.e.automating)unwanted(i.e.security)taskscanonlyhelp
• ButtheycannotreplaceSecArch
WebAppSecArch(example)
InfraSecArchevolution(example)[1]
Internet
InternetF/W
InternalF/W
TrustZoneA-VirtualisedServer
vSwitch
VM VM VM
vSwitch
VM VM VM
vSwitch
VM VM VM
vSwitch
VM VM VM
TrustZoneB-VirtualisedServer
TrustZoneC-VirtualisedServer TrustZoneD-VirtualisedServer
HypervisorHypervisor
Hypervisor Hypervisor
InfraSecArchevolution(example)[2]
‘*asCode’
• InfrastructureasCode• SecurityasCode• …
• Canwedetermine(letaloneachieve)theobjectiveswithoutsoundSecArch?• Manifestosalone(ruggedastheymaybe)arenotenough…• Godhelpus…
• SecDevOps’reachisnotbroadordeepenough…• It’snotearlyenoughinthelifecycle…
ArchitectureStrategy&Governance
CyberDefence
Operations
Verification
Construction
Policy&
Standards
Compliance&
Metrics
Architecturecomesfirst…
Dev
OpsSec
Don’tsayIdidn’twarnyou…
• XY+XZ=• SecDev+SecOps=
X(Y+Z)Sec(Dev+Ops)
Nowthatσ(Dev,Sec,Ops)hasfreedusfromthechainsofthemundane,canwefocusandspendmoretimeonsomethingthatreallymatters?
</Rant>
Thankyouforyourattention!
Timeforquestions…
https://www.linkedin.com/in/dpetropoulos/