SlideShare uma empresa Scribd logo

Outpost24 webinar: Turning DevOps and security into DevSecOps

Outpost24
Outpost24

DevOps is a revolution starting to deliver. The “shift left” security approach is trying to catch up, but challenges remain. We will go over concrete security approaches and real data that overcome these challenges. It takes more than adding “hard to find” security talent to your DevOps team to reach DevSecOps benefits. Our discussion focuses on the practical side and lessons-learned from helping organizations gear up for this paradigm shift.

Tecnologia
1 de 33
Baixar para ler offline
Stories From the Trenches Turning DevOps into DevSecOps Simon Roe 1
Agenda • Fundamental Differences • Resistance is futile • Learn by example • Now what? 2
About Outpost24 3 • Global HQ – Sweden • Sales – BeNeLux, DACH, Nordics, UK&I/France, US • MSSP and Reseller partners in additional locations • Over 130 full time staff • 37% YoY growth 2016 - 2017
Traditional ‘Waterfall’ Development 4 Security is ‘tested’ during the fixed Test period. Plan Code Build Test Release Deploy
5
• Cost of a Data Breach $7.2M • 80 days to detect • More than four months (123 days) to resolve Find during Development $80 / defect Find during Build $240 / defect Find during QA/Test $960 / defect Find in Production $7,600 / defect 80% of development costs are spent identifying and correcting defects! Source: Ponemon InstituteSource: National Institute of Standards and Technology Cost of Security Defects (courtesy of IBM, 2016)
So why are organisations ‘Slow’to adopt DevSecOps? • Clinging to traditional security • Security NOT a priority in DevOps • Lack of Expertise in house • Zero defect at release 7 ‘Information Security and compliance won’t let us’
How do we incorporate Security? • Security has historically been a silo • Designed to prevent change • Waterfall security does not fit the shift left mentality • Process + People change
‘Companies are spending a great deal on security. But we read of a number of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting the wrong things, and were hurting productivity in the process.’ Thinking security, Steven M. Bellovin
Resistance is futile
DevOps is here, and getting bigger
Benefitsof ‘DevOps’ 12 Source: https://www.infopulse.com/blog/what-is-devops-and-its-business-benefits/
Adoption increasing - security still lagging 13 Source: https://devops.com/2018-database-devops-survey-reveals-database-crises-still-prevalent-mostly-avoidable/
14 Source: SonatypeDevsecops community survey2018
Perspective… 15 100 : 10 : 1 Dev : Ops : Sec
DevSecOps – How? • Dev teams should engage with Infosec as early as possible • Embed security championsinto DevOpsteams • ‘Shift left’ in your security testing approach • Embed security into the DevelopersKPI’s • Integrate security into the DevOps Tool chain (automatically) • Run post mortems and ‘Learn’ from them 16
Tales from the Trenches 17
“We are no longer writing customized software –instead, we assemble what we need from open source parts, which has become the software supply chain that we are very much reliant upon” – Joshua Corman (DevOps enterprise summit 2015) 18
20
21 Example 1 : Commercial software • ISM platform – initial parameters where ‘No credentials’ • In examining the CoTS platform discovered no Brute force password protection in place • Discovered a Java reporting module. • led to crafting template that included remote code execution – resulting in functional exploit. • Major 3rd party vendor. 85% of fortune 500 , a least 1 Nato armed forces, NASA & A well known multinational coffee shop. • LEARNING: Never assume an off the shelf application is secure.
22 Example 2: Open source intelligence could be your Enemy • Uber developer posted sensitive information allowing access to AWS infrastructure in Github. • More an more developers using GitHub or similar repositories to store code • Tools to search Github repositories for sensitive information exist • Some enterprises mistakenly post to public rather than private repositories
Example 3: Time is irrelevant • Organization using a CMS (Content management system) • Discovered to leak non sensitive information through local file disclosure in old forked development that was still active on server • A number of findings were responsibly disclosed but Customer risk accepted them because the fork was obsolete • Regular continuous testing (manual and automatic) led to team discovering a plugin for the old application had been written and posted to a public repository (OSINT) • Resulted in (12months later) a successful compromise and remote code execution.
Example 4:Outsourcing DevOps Security • Organization employed outsource agency to develop new application Security processes had been discussed and agreed. • After application delivered to production, 3rd party Pen test team discovered a number of critical and high vulnerabilities. • Organization sent these to outsourcer to address. • On the next release, the old vulnerabilities were reintroduced and new ones added. This was repeated several times. • Organization pulled the plug on the outsourcer and moved development inhouse.
Example 5: Privilegeescalation • https://www.owasp.org/index.php/Top_10-2017_A5- Broken_Access_Control • HR System : Sequential ID’s used for users. You could assigndeputy to assumerights and access whilst on vacation. Simple ID manipulation led to full compromise of system as Admin. • Patient record system. Another sequential numbering system and ID manipulation in Browser header lead to the ability to fully manipulate ANY users patient history. • SaaS system, no additional checking of authentication after Browser check, resulted in ability to compromisethe entire system and other modules quickly and easily. 26
Learningfromthe Bestor the worst • Mistakes happen. And continue to happen daily. • DevSecOps integration is not immune. • DevSecOps is about process as well as people. • Building security into the very heart of DevOps. Empower individuals to be the security person in their day to day roles through: • Mutual understanding. • Shared Language. • Shared vision. • Collaborative tooling.
Shift Left 28 But aim for far right: Source: DevOps community survey
Now What? 29
Dev(Sec)Ops is here, and getting bigger
DevSecOps takeaways • People & Process. • Security needs to keep pace, be ‘agile’ • Integrated into the CI/CD process. • Test everything, at every stage. Don’t forget 3rd party components and outsourcers • Shift left. But test at all phases. Automate the testing tool set & Pen test! • ‘Culture is the most important aspect to Dev(sec)Ops succeeding in the Enterprise’ – Patrick Debois
Don’tresist - builda plan… • If DevSecOps isn’t practiced today: • In the next month identify the who / what / where of the CI /CD pipeline • Find security champions in Dev and Ops • In the next 3 months create a plan to integrate security into DevOps • Shift left. Add one or two tools into an earlier phase of the SDLC • Empower Developers and Ops (champions) to use the tools • Within 6 months security should be embedded in all phases of the SDLC • If DevSecOps is practiced today: • Can it be improved? • Do you have a good understanding of security state of each phase from Develop through deploy and monitor? 32
33 Simon Roe sro@outpost24.com

Recomendados

DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident Management
ShriniKulkarni
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
DevSecOpsSg
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
Stefan Streichsbier
 

Recomendados

DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident Management
ShriniKulkarni
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
DevSecOpsSg
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
Stefan Streichsbier
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
DevOps Indonesia
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoD
JamesHarmison
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
SeniorStoryteller
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a Toolbox
DevOps Indonesia
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
SeniorStoryteller
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
SeniorStoryteller
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
Eficode
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 

Mais conteúdo relacionado

Mais procurados

DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 

Mais procurados (20)

Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoD
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a Toolbox
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 

Semelhante a Outpost24 webinar: Turning DevOps and security into DevSecOps

ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Jeremy Brown
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
Turja Narayan Chaudhuri
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 

Semelhante a Outpost24 webinar: Turning DevOps and security into DevSecOps (20)

Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Devsec ops
Devsec opsDevsec ops
Devsec ops
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 

Mais de Outpost24

Mais de Outpost24 (20)

Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystemOutpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystem
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdf
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security Program
 
Outpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theftOutpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theft
 
Outpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictionsOutpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictions
 
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycleOutpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
 
Outpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technologyOutpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technology
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
 
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
 

Último

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Outpost24 webinar: Turning DevOps and security into DevSecOps

  • 1. Stories From the Trenches Turning DevOps into DevSecOps Simon Roe 1
  • 2. Agenda • Fundamental Differences • Resistance is futile • Learn by example • Now what? 2
  • 3. About Outpost24 3 • Global HQ – Sweden • Sales – BeNeLux, DACH, Nordics, UK&I/France, US • MSSP and Reseller partners in additional locations • Over 130 full time staff • 37% YoY growth 2016 - 2017
  • 4. Traditional ‘Waterfall’ Development 4 Security is ‘tested’ during the fixed Test period. Plan Code Build Test Release Deploy
  • 5. 5
  • 6. • Cost of a Data Breach $7.2M • 80 days to detect • More than four months (123 days) to resolve Find during Development $80 / defect Find during Build $240 / defect Find during QA/Test $960 / defect Find in Production $7,600 / defect 80% of development costs are spent identifying and correcting defects! Source: Ponemon InstituteSource: National Institute of Standards and Technology Cost of Security Defects (courtesy of IBM, 2016)
  • 7. So why are organisations ‘Slow’to adopt DevSecOps? • Clinging to traditional security • Security NOT a priority in DevOps • Lack of Expertise in house • Zero defect at release 7 ‘Information Security and compliance won’t let us’
  • 8. How do we incorporate Security? • Security has historically been a silo • Designed to prevent change • Waterfall security does not fit the shift left mentality • Process + People change
  • 9. ‘Companies are spending a great deal on security. But we read of a number of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting the wrong things, and were hurting productivity in the process.’ Thinking security, Steven M. Bellovin
  • 11. DevOps is here, and getting bigger
  • 13. Adoption increasing - security still lagging 13 Source: https://devops.com/2018-database-devops-survey-reveals-database-crises-still-prevalent-mostly-avoidable/
  • 15. Perspective… 15 100 : 10 : 1 Dev : Ops : Sec
  • 16. DevSecOps – How? • Dev teams should engage with Infosec as early as possible • Embed security championsinto DevOpsteams • ‘Shift left’ in your security testing approach • Embed security into the DevelopersKPI’s • Integrate security into the DevOps Tool chain (automatically) • Run post mortems and ‘Learn’ from them 16
  • 18. “We are no longer writing customized software –instead, we assemble what we need from open source parts, which has become the software supply chain that we are very much reliant upon” – Joshua Corman (DevOps enterprise summit 2015) 18
  • 19.
  • 20. 20
  • 21. 21 Example 1 : Commercial software • ISM platform – initial parameters where ‘No credentials’ • In examining the CoTS platform discovered no Brute force password protection in place • Discovered a Java reporting module. • led to crafting template that included remote code execution – resulting in functional exploit. • Major 3rd party vendor. 85% of fortune 500 , a least 1 Nato armed forces, NASA & A well known multinational coffee shop. • LEARNING: Never assume an off the shelf application is secure.
  • 22. 22 Example 2: Open source intelligence could be your Enemy • Uber developer posted sensitive information allowing access to AWS infrastructure in Github. • More an more developers using GitHub or similar repositories to store code • Tools to search Github repositories for sensitive information exist • Some enterprises mistakenly post to public rather than private repositories
  • 23. Example 3: Time is irrelevant • Organization using a CMS (Content management system) • Discovered to leak non sensitive information through local file disclosure in old forked development that was still active on server • A number of findings were responsibly disclosed but Customer risk accepted them because the fork was obsolete • Regular continuous testing (manual and automatic) led to team discovering a plugin for the old application had been written and posted to a public repository (OSINT) • Resulted in (12months later) a successful compromise and remote code execution.
  • 24.
  • 25. Example 4:Outsourcing DevOps Security • Organization employed outsource agency to develop new application Security processes had been discussed and agreed. • After application delivered to production, 3rd party Pen test team discovered a number of critical and high vulnerabilities. • Organization sent these to outsourcer to address. • On the next release, the old vulnerabilities were reintroduced and new ones added. This was repeated several times. • Organization pulled the plug on the outsourcer and moved development inhouse.
  • 26. Example 5: Privilegeescalation • https://www.owasp.org/index.php/Top_10-2017_A5- Broken_Access_Control • HR System : Sequential ID’s used for users. You could assigndeputy to assumerights and access whilst on vacation. Simple ID manipulation led to full compromise of system as Admin. • Patient record system. Another sequential numbering system and ID manipulation in Browser header lead to the ability to fully manipulate ANY users patient history. • SaaS system, no additional checking of authentication after Browser check, resulted in ability to compromisethe entire system and other modules quickly and easily. 26
  • 27. Learningfromthe Bestor the worst • Mistakes happen. And continue to happen daily. • DevSecOps integration is not immune. • DevSecOps is about process as well as people. • Building security into the very heart of DevOps. Empower individuals to be the security person in their day to day roles through: • Mutual understanding. • Shared Language. • Shared vision. • Collaborative tooling.
  • 28. Shift Left 28 But aim for far right: Source: DevOps community survey
  • 30. Dev(Sec)Ops is here, and getting bigger
  • 31. DevSecOps takeaways • People & Process. • Security needs to keep pace, be ‘agile’ • Integrated into the CI/CD process. • Test everything, at every stage. Don’t forget 3rd party components and outsourcers • Shift left. But test at all phases. Automate the testing tool set & Pen test! • ‘Culture is the most important aspect to Dev(sec)Ops succeeding in the Enterprise’ – Patrick Debois
  • 32. Don’tresist - builda plan… • If DevSecOps isn’t practiced today: • In the next month identify the who / what / where of the CI /CD pipeline • Find security champions in Dev and Ops • In the next 3 months create a plan to integrate security into DevOps • Shift left. Add one or two tools into an earlier phase of the SDLC • Empower Developers and Ops (champions) to use the tools • Within 6 months security should be embedded in all phases of the SDLC • If DevSecOps is practiced today: • Can it be improved? • Do you have a good understanding of security state of each phase from Develop through deploy and monitor? 32