SlideShare uma empresa Scribd logo

Embracing DevSecOps: A Changing Security Landscape for the US Government

Transferir como PPTX, PDF
D
DJ Schleen

As part of this change, all contractors and government software developers will need to think critically and not only ask themselves “does the code have vulnerabilities,” but “could it have vulnerabilities,” and “how do we know either way?” Learn how with the right tools, and embedded security across the entire development process, you can stay ahead of adversary leaving the software supply chain secure so mindshare can be left for other critical national security issues.

Governo e ONGs
1 de 42
DJ Schleen Embracing DevSecOps A Changing Security Landscape for the US Government @djschleen
2 devsecops
3 not just for hipsters
reduce risk @djschleen 4
culture
Photos courtesy of Pixabay and Pexels. the three ways
7 AUTOMATE Automate security toolsets by integrating them into your SDLC in an unobtrusive and transparent way. DISSEMINATE Collect information from your toolsets, aggregate them into actionable KPI’s, and deliver them to the appropriate stakeholders. INVESTIGATE Establish baselines that define normal operating behavior and investigate abnormalities that appear EFFICIENCY @djschleen
WHHHHHHYYYYY?
100:1 9 DEVELOPERS OUTNUMBER SECURITY
The faster a team can deploy to production, the quicker an organization can remediate critical vulnerabilities and zero days 10 Cycle Time: Weeks - Months Cycle Time: Minutes - Hours 10 – 20 Releases Your imagination is the limit... Plan Deploy Operate Agile DevSecOps … Design Build Test Deploy Operate Design Build TestDesign Build Test Plan Design Build Test Deploy Operate Design Build Test Deploy Operate Observation @dschleen Increased Flow can reduce the risk of outdated software stagnating in production When change is normal and expected, fire-drills become a thing of the past Learn Learn LearnLearn AGILE ISN’T AGILE ENOUGH
Large Scale Exploit March 10 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Probe Crisis Management 11 @dschleen TIMELINE OF AN ATTACK
@djschleen
March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 8,780 continue to download vulnerable versions of Struts 57% of the Fortune 100 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR EQUIFAX WAS NOT ALONE April 13 India Post December ’17 Monero Cryptomining 13
AVERAGE DAYS BEFORE VULNERABILITY IS EXPLOITED
risk @djschleen 15
85%-97% 16 CODE YOUR DEVELOPERS DON’T BUILD
@dschleen NIST SPECIAL PUBLICATION 800-161
@dschleen NIST SPECIAL PUBLICATION 800-161
@dschleen SAY HELLO TO YOUR SOFTWARE SUPPLY CHAIN
NOT ALL PARTS ARE CREATED EQUAL @devstefop s
AUTOMATION ACCELERATES OSS DOWNLOADS
1,096 new projects per day 10,000 new versions per day 14x releases per year • 3M npm components • 2M Java components • 900K NuGet components • 870K PyPI components
@djschleen
24 DEFECT PERCENTAGES FOR JAVASCRIPT @djschleen
85% to 97% of modern apps consist of assembled components. 25
80% to 90% of modern operations consist of assembled containers. 26 Containers Hand-built applications and infrastructure
PULLS FROM DOCKER HUB @djschleen
time
233 days MeanTTR 119 days MedianTTR 122,802 components with known vulnerabilities 19,445 15.8% fixed the vulnerability TIME TO REPAIR OSS COMPONENTS @djschleen
0 days MeanTTR CVE ID: CVE-2017-5638 March 7 Apache fixed the vulnerability March 7 APACHE STRUTS2 MEAN TIME TO REPAIR @djschleen
170,000 Java component downloads annually 3,500 unique 18,870 11.1% with known vulnerabilities 7,500 ORGANIZATIONS ANALYZED @djschleen
threats are real
@djschleen
A Shifting Battlefront of Attacks: Hackers Inject Malicious Code into Supply Chains March 2016 - August 2018 left-pad: Popular npm packages were removed from the repository, breaking thousands of websites and revealing how changes can immediately propagate to the real world. 1 npm credentials used by publishers of 79,000 packages were published online or easily compromised by dictionary attacks. 2 PyPI typosquat: The Slovak National Security Office (NBU) found 10 malicious PyPI packages. Evidence of the fake packages being downloaded and incorporated into software multiple times was noted between Jun '17 and Sept '17. 5 npm credentials: A core contributor to the conventional-changelog ecosystem had their npm credentials compromised and a malicious version of the package was published. Package was installed 28,000 times in 35 hours and executed a Monero crypto miner. 7 Backdoored npm: The npm security team responded to reports of a package that masqueraded as a cookie parsing library but contained a malicious backdoor. Published in March ’18 to introduce unauthorized publishing of mailparser; despite being deprecated, mailparser still received about 64,000 weekly downloads. 9 homebrew breach: Eric Holmes, an operations engineer at Remind, gained commit access to homebrew in under 30 minutes through an exposed GitHub API token. While he had no malicious intent, he gained access to components that are downloaded 500,000 times per month. 11 Mar 2016 July 2017 Sep 2017 Jan 2018 Feb 2018 May 2018 Aug 2018 Malicious npm: Gilbertson writes a fictional tale of creating a malicious npm packages to harvest credit card numbers from hundreds of websites. 6 3 npm typosquat: 40 intentionally malicious packages harvested credentials used to publish to the npm repository itself. 4 docker123321 images were created on Docker Hub. In Jan'18, it was accused of poisoning a Kubernetes honeypot, then in May’18 it was equated to a crypto mining botnet. 8go-bindata: after a developer deleted their GitHub account, someone immediately grabbed the ID — inheriting the karma instilled in that id, calling into question what packages and sources are canonical and immutable. 10 Backdoored PyPI: SSH Decorator (ssh-decorate), a library for handling SSH connections from Python code, was backdoored to enable stealing of private SSH credentials. 34 @djschleen
Laurie Voss, npm and the furture of JavaScript, 2018-10-10 NPM AUDIT STATS
9 years later, vulnerable versions of Bouncy Castle were downloaded… 11M CVE-2007-6721 CVSS Base Score: 10.0 HIGH Exploitability Subscore: 10.0 23M 2007 2016 BOUNCY CASTLE
Photo courtesy of Pixabay @djschleen do not boil
REDUCE DOWNSTREAM DEFECTS @djschleen
@dschleen PROTECT YOUR SOFTWARE SUPPLY CHAIN
THE REWARDS ARE IMPRESSIVE 90% improvement in time to deploy 34,000 hours saved in 90 days 48% increase in application quality @djschleen
Image by DJ Schleen inevitable @djschleen
Embracing DevSecOps: A Changing Security Landscape for the US Government

Recomendados

How Components Increase Speed and Risk
How Components Increase Speed and RiskHow Components Increase Speed and Risk
How Components Increase Speed and Risk
CA Technologies
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
jerryhargrove
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
Velocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overloadVelocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overload
sarahjwells
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS Lane
James Wickett
 
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Codemotion
 
Codemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts OverloadCodemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts Overload
sarahjwells
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
Uchit Vyas ☁
 

Recomendados

How Components Increase Speed and Risk
How Components Increase Speed and RiskHow Components Increase Speed and Risk
How Components Increase Speed and Risk
CA Technologies
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
jerryhargrove
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
Velocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overloadVelocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overload
sarahjwells
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS Lane
James Wickett
 
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Codemotion
 
Codemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts OverloadCodemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts Overload
sarahjwells
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
Uchit Vyas ☁
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
James Wickett
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
lokori
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Evolving DevOps in the Age of Cloud Native
Evolving DevOps in the Age of Cloud NativeEvolving DevOps in the Age of Cloud Native
Evolving DevOps in the Age of Cloud Native
VMware Tanzu
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
SIGHUP
 
Serverless Swift for Mobile Developers
Serverless Swift for Mobile DevelopersServerless Swift for Mobile Developers
Serverless Swift for Mobile Developers
All Things Open
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon
 
5681 Sample
5681 Sample5681 Sample
5681 Sample
B.Rick Roder
 
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Sven Krasser
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
James Wickett
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
C4Media
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
Kubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to ProductionKubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to Production
Rosemary Wang
 
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.ioCompleting the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
CA Technologies
 
Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Splunk Live in RTP - March-2014-Jeff-Bollinger-CiscoSplunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Jeff Bollinger
 
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
DevOps.com
 
Applying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessApplying principles of chaos engineering to Serverless
Applying principles of chaos engineering to Serverless
Yan Cui
 
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPLA Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
Mario-Leander Reimer
 
The present and future of serverless observability
The present and future of serverless observabilityThe present and future of serverless observability
The present and future of serverless observability
Yan Cui
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
Top Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookTop Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps Handbook
XebiaLabs
 

Mais conteúdo relacionado

Mais procurados

The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
DevOps.com
 
Applying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessApplying principles of chaos engineering to Serverless
Applying principles of chaos engineering to Serverless
Yan Cui
 
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPLA Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
Mario-Leander Reimer
 
The present and future of serverless observability
The present and future of serverless observabilityThe present and future of serverless observability
The present and future of serverless observability
Yan Cui
 

Mais procurados (20)

Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Evolving DevOps in the Age of Cloud Native
Evolving DevOps in the Age of Cloud NativeEvolving DevOps in the Age of Cloud Native
Evolving DevOps in the Age of Cloud Native
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
Serverless Swift for Mobile Developers
Serverless Swift for Mobile DevelopersServerless Swift for Mobile Developers
Serverless Swift for Mobile Developers
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
 
5681 Sample
5681 Sample5681 Sample
5681 Sample
 
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...
 
Kubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to ProductionKubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to Production
 
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.ioCompleting the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
 
Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Splunk Live in RTP - March-2014-Jeff-Bollinger-CiscoSplunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
 
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
 
Applying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessApplying principles of chaos engineering to Serverless
Applying principles of chaos engineering to Serverless
 
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPLA Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
 
The present and future of serverless observability
The present and future of serverless observabilityThe present and future of serverless observability
The present and future of serverless observability
 

Semelhante a Embracing DevSecOps: A Changing Security Landscape for the US Government

DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos 
Perforce
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)
Gene Kim
 
Cloud-Native Fundamentals: Accelerating Development with Continuous Integration
Cloud-Native Fundamentals: Accelerating Development with Continuous IntegrationCloud-Native Fundamentals: Accelerating Development with Continuous Integration
Cloud-Native Fundamentals: Accelerating Development with Continuous Integration
VMware Tanzu
 
Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018
John Willis
 

Semelhante a Embracing DevSecOps: A Changing Security Landscape for the US Government (20)

Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Top Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookTop Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps Handbook
 
2019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-22019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-2
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released
 
Nadog dev secops_survey
Nadog dev secops_surveyNadog dev secops_survey
Nadog dev secops_survey
 
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical StepsDevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
 
Open Source, Open Governance and Your Developers
Open Source, Open Governance and Your DevelopersOpen Source, Open Governance and Your Developers
Open Source, Open Governance and Your Developers
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
 
DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos 
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)
 
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
 
DevOps and the Death & Rebirth of Childhood Innocence
DevOps and the Death & Rebirth of Childhood InnocenceDevOps and the Death & Rebirth of Childhood Innocence
DevOps and the Death & Rebirth of Childhood Innocence
 
My Top Five DevOps Learnings
My Top Five DevOps LearningsMy Top Five DevOps Learnings
My Top Five DevOps Learnings
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Cloud-Native Fundamentals: Accelerating Development with Continuous Integration
Cloud-Native Fundamentals: Accelerating Development with Continuous IntegrationCloud-Native Fundamentals: Accelerating Development with Continuous Integration
Cloud-Native Fundamentals: Accelerating Development with Continuous Integration
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
The Unicorn Project and the Five Ideals.pdf
The Unicorn Project and the Five Ideals.pdfThe Unicorn Project and the Five Ideals.pdf
The Unicorn Project and the Five Ideals.pdf
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018
 

Mais de DJ Schleen

Mais de DJ Schleen (6)

Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 
Why happier developers create more secure code
Why happier developers create more secure codeWhy happier developers create more secure code
Why happier developers create more secure code
 
Blue is the new green
Blue is the new greenBlue is the new green
Blue is the new green
 
CVS Health Automating Security with DevSecOps
CVS Health Automating Security with DevSecOpsCVS Health Automating Security with DevSecOps
CVS Health Automating Security with DevSecOps
 
Don't Fear the Four Horsemen of the DevSecOpalypse
Don't Fear the Four Horsemen of the DevSecOpalypseDon't Fear the Four Horsemen of the DevSecOpalypse
Don't Fear the Four Horsemen of the DevSecOpalypse
 

Último

Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
tanu pandey
 
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
VIP Call Girl Service Ludhiana 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl Service Ludhiana 7001035870 Enjoy Call Girls With Our EscortsVIP Call Girl Service Ludhiana 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl Service Ludhiana 7001035870 Enjoy Call Girls With Our Escorts
sonatiwari757
 
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Dipal Arora
 
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
aartirawatdelhi
 
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
tanu pandey
 
Call On 6297143586 Yerwada Call Girls In All Pune 24/7 Provide Call With Bes...
Call On 6297143586 Yerwada Call Girls In All Pune 24/7 Provide Call With Bes...Call On 6297143586 Yerwada Call Girls In All Pune 24/7 Provide Call With Bes...
Call On 6297143586 Yerwada Call Girls In All Pune 24/7 Provide Call With Bes...
tanu pandey
 

Último (20)

Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
 
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Climate change and occupational safety and health.
Climate change and occupational safety and health.Climate change and occupational safety and health.
Climate change and occupational safety and health.
 
VIP Call Girl Service Ludhiana 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl Service Ludhiana 7001035870 Enjoy Call Girls With Our EscortsVIP Call Girl Service Ludhiana 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl Service Ludhiana 7001035870 Enjoy Call Girls With Our Escorts
 
CBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related Topics
 
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxxIncident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
 
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'IsraëlAntisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
 
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
 
EDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxEDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptx
 
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
 
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
 
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
 
Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024
 
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
 
Postal Ballots-For home voting step by step process 2024.pptx
Postal Ballots-For home voting step by step process 2024.pptxPostal Ballots-For home voting step by step process 2024.pptx
Postal Ballots-For home voting step by step process 2024.pptx
 
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)
 
Call On 6297143586 Yerwada Call Girls In All Pune 24/7 Provide Call With Bes...
Call On 6297143586 Yerwada Call Girls In All Pune 24/7 Provide Call With Bes...Call On 6297143586 Yerwada Call Girls In All Pune 24/7 Provide Call With Bes...
Call On 6297143586 Yerwada Call Girls In All Pune 24/7 Provide Call With Bes...
 
2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar
 
Global debate on climate change and occupational safety and health.
Global debate on climate change and occupational safety and health.Global debate on climate change and occupational safety and health.
Global debate on climate change and occupational safety and health.
 

Embracing DevSecOps: A Changing Security Landscape for the US Government

  • 1. DJ Schleen Embracing DevSecOps A Changing Security Landscape for the US Government @djschleen
  • 3. 3 not just for hipsters
  • 6. Photos courtesy of Pixabay and Pexels. the three ways
  • 7. 7 AUTOMATE Automate security toolsets by integrating them into your SDLC in an unobtrusive and transparent way. DISSEMINATE Collect information from your toolsets, aggregate them into actionable KPI’s, and deliver them to the appropriate stakeholders. INVESTIGATE Establish baselines that define normal operating behavior and investigate abnormalities that appear EFFICIENCY @djschleen
  • 10. The faster a team can deploy to production, the quicker an organization can remediate critical vulnerabilities and zero days 10 Cycle Time: Weeks - Months Cycle Time: Minutes - Hours 10 – 20 Releases Your imagination is the limit... Plan Deploy Operate Agile DevSecOps … Design Build Test Deploy Operate Design Build TestDesign Build Test Plan Design Build Test Deploy Operate Design Build Test Deploy Operate Observation @dschleen Increased Flow can reduce the risk of outdated software stagnating in production When change is normal and expected, fire-drills become a thing of the past Learn Learn LearnLearn AGILE ISN’T AGILE ENOUGH
  • 11. Large Scale Exploit March 10 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Probe Crisis Management 11 @dschleen TIMELINE OF AN ATTACK
  • 13. March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 8,780 continue to download vulnerable versions of Struts 57% of the Fortune 100 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR EQUIFAX WAS NOT ALONE April 13 India Post December ’17 Monero Cryptomining 13
  • 14. AVERAGE DAYS BEFORE VULNERABILITY IS EXPLOITED
  • 19. @dschleen SAY HELLO TO YOUR SOFTWARE SUPPLY CHAIN
  • 20. NOT ALL PARTS ARE CREATED EQUAL @devstefop s
  • 22. 1,096 new projects per day 10,000 new versions per day 14x releases per year • 3M npm components • 2M Java components • 900K NuGet components • 870K PyPI components
  • 24. 24 DEFECT PERCENTAGES FOR JAVASCRIPT @djschleen
  • 25. 85% to 97% of modern apps consist of assembled components. 25
  • 26. 80% to 90% of modern operations consist of assembled containers. 26 Containers Hand-built applications and infrastructure
  • 27. PULLS FROM DOCKER HUB @djschleen
  • 28. time
  • 29. 233 days MeanTTR 119 days MedianTTR 122,802 components with known vulnerabilities 19,445 15.8% fixed the vulnerability TIME TO REPAIR OSS COMPONENTS @djschleen
  • 30. 0 days MeanTTR CVE ID: CVE-2017-5638 March 7 Apache fixed the vulnerability March 7 APACHE STRUTS2 MEAN TIME TO REPAIR @djschleen
  • 31. 170,000 Java component downloads annually 3,500 unique 18,870 11.1% with known vulnerabilities 7,500 ORGANIZATIONS ANALYZED @djschleen
  • 34. A Shifting Battlefront of Attacks: Hackers Inject Malicious Code into Supply Chains March 2016 - August 2018 left-pad: Popular npm packages were removed from the repository, breaking thousands of websites and revealing how changes can immediately propagate to the real world. 1 npm credentials used by publishers of 79,000 packages were published online or easily compromised by dictionary attacks. 2 PyPI typosquat: The Slovak National Security Office (NBU) found 10 malicious PyPI packages. Evidence of the fake packages being downloaded and incorporated into software multiple times was noted between Jun '17 and Sept '17. 5 npm credentials: A core contributor to the conventional-changelog ecosystem had their npm credentials compromised and a malicious version of the package was published. Package was installed 28,000 times in 35 hours and executed a Monero crypto miner. 7 Backdoored npm: The npm security team responded to reports of a package that masqueraded as a cookie parsing library but contained a malicious backdoor. Published in March ’18 to introduce unauthorized publishing of mailparser; despite being deprecated, mailparser still received about 64,000 weekly downloads. 9 homebrew breach: Eric Holmes, an operations engineer at Remind, gained commit access to homebrew in under 30 minutes through an exposed GitHub API token. While he had no malicious intent, he gained access to components that are downloaded 500,000 times per month. 11 Mar 2016 July 2017 Sep 2017 Jan 2018 Feb 2018 May 2018 Aug 2018 Malicious npm: Gilbertson writes a fictional tale of creating a malicious npm packages to harvest credit card numbers from hundreds of websites. 6 3 npm typosquat: 40 intentionally malicious packages harvested credentials used to publish to the npm repository itself. 4 docker123321 images were created on Docker Hub. In Jan'18, it was accused of poisoning a Kubernetes honeypot, then in May’18 it was equated to a crypto mining botnet. 8go-bindata: after a developer deleted their GitHub account, someone immediately grabbed the ID — inheriting the karma instilled in that id, calling into question what packages and sources are canonical and immutable. 10 Backdoored PyPI: SSH Decorator (ssh-decorate), a library for handling SSH connections from Python code, was backdoored to enable stealing of private SSH credentials. 34 @djschleen
  • 35. Laurie Voss, npm and the furture of JavaScript, 2018-10-10 NPM AUDIT STATS
  • 36. 9 years later, vulnerable versions of Bouncy Castle were downloaded… 11M CVE-2007-6721 CVSS Base Score: 10.0 HIGH Exploitability Subscore: 10.0 23M 2007 2016 BOUNCY CASTLE
  • 37. Photo courtesy of Pixabay @djschleen do not boil
  • 40. THE REWARDS ARE IMPRESSIVE 90% improvement in time to deploy 34,000 hours saved in 90 days 48% increase in application quality @djschleen
  • 41. Image by DJ Schleen inevitable @djschleen