1.
DevSecOps
Security and Compliance at the Speed of
Continuous Delivery
Dag Rowe - OWASP Ottawa Sept 2018
@dagrowe

2.
Holy Grails
You want to deliver product
You want to deliver it fast
You want people to trust it

3.
Holy Grails
Oh and …
Usable, secure, has defense in
depth,
hardened, easy to patch, uses the
principle of least privilege, compliant,
auditable, supportable, uses modern tech,
attracts developers, cost effective ...

4.
Holy Grails
And …
Still deliver features, GO!

5.
Compliance
Document what you do
Do it
Prove you did it

6.
Compliance
Document what you do
– Security Controls, plans, and processes
Do it
– Hard
Prove you did it
– If you haven’t planned - this can be hard,
disruptive work

7.
Also ...

8.
Can we move to
Compliance Engineering?

9.
DevSecOps
Yes!
Treat the problem of security and
compliance as a test, release, and
observability engineering problem

10.
Why focus on
Compliance?

11.
Why Compliance?
Compliance opens wallets
Moves security spending from fear
• Avoid a big incident
To greed
• A sales tool
Paraphrasing Bruce
Schneier

12.
DevSecOps
DevOps used to deliver and run systems in a
secure and reliable way
Bringing in Security and Compliance
increases the focus on Ops
– “You build it, you run it”

13.
No Magic
Just DevOps done right
Other terms
– DevSecOps
– DevOpsSec
– Rugged DevOps
It is a good search phrase, tho

14.
Enter the Dragon Tehama

15.
tehama.io

16.
Tehama the Product
Delivers privileged technical services
over the internet with
– Transparency
– Security
– Auditability
Ensures trust while enabling quick
onboarding and connectivity

17.
Tehama and SOC2
Decided that SOC2 compliance was
mandatory
– Sales tool
– Trust tool
• Validated security practices via a
trusted 3rd party auditor

18.
DevSecOps - Secret Sauce
The whole team approach
Leverage security and compliance expertise
in building out the system
Leverage the technical expertise of your
DevOps team
What about - Product? Testing? Marketing? Legal?
• Yes, the whole team

19.
They are all stakeholders in delivery

20.
Tehama DevSecOps Principles
Security and Compliance is not the office of
no
Build security in
Don’t be compliant for compliance’s sake
– Make it secure, to demonstrate
compliance
– Keep it valuable

21.
*
* Respected Colleague

22.
Implementation
Security is everyone’s job, all the time
Design it into the system
• Then it is just how the software is
delivered
Audit evidence is generated during daily
work
– Not extra work

23.
DevOps Patterns
Infrastructure as Code
Continuous Delivery
Continuous Monitoring
Learning from Failure
Collaborative Culture

24.
Policy Designed for CI/CD
Change Management
Standard Change
– Pre-approved
– Move most changes here
– High success rate, low MTTR
High Risk Change
– Classic security approval
Emergency Change
– Post release approval
– Don’t block an emergency change

25.
DevOps Audit Defense
d) Automated security testing of the code and environment
is performed as part of the deployment pipeline, as per
CS2.e.
e) All production deployments must have a JIRA ticket
number. Deployers must input the JIRA ticket number into
the Jenkins build pipeline system for code to be deployed
into production.
i) Jenkins uses the JIRA plugin to pull information from
JIRA to include with the build information and push
information about the build into the JIRA ticket.

26.
Implementation
Secure software supply chain
All images and OSs are from trusted repos
– Hardened
All software dependencies are scanned
Patch management is just another change

27.
Implementation - SDLC
The SDLC is based on a CI/CD pipeline
Automatic
SAST
– Static Application Security Testing
DAST
– Dynamic Application Security Testing
SCA
– Software Component Analysis
Container vulnerability analysis

28.
Implementation - SDLC
Manual
Prioritization and planning
Pull requests and code review
– Code review guidelines call out security
concerns with a standard checklist
PR approval, and release authorization

29.
Implementation - Monitoring
Vulnerability plan includes intrusion detection
Requires monitoring and alerting to detect
incidents
• Alerting will launch Incident Response (IR)
• Note, manual detection is still in scope
– Strange system behaviour
– Customer reports
– AWS security
– Law enforcement

30.
Implementation - IR and Logging
DevOps includes a focus on monitoring and
observability
• This is adds big value
• Enables robust Incident Response and
troubleshooting capabilities

31.
Where’s the Evidence?
• Agile planning
• Work ticket workflow
– Pull requests
• CI/CD scan logs
– Remediation tickets
• Release ticket workflow
– Authorization
• Production monitoring
• Incident tickets
• Chat Ops
• Blameless post-mortems
– Remediation tickets

32.
Results
Last pentest had no findings
Security and compliance dev work is not exceptional
First audit (Type 1) passed without complications
– Kudos from auditors
Second audit (Type 2) had no major out of band work
for developers or compliance - Passed
Continuous improvement on logging and monitoring
IR and post-mortem process well established

33.
References
• DevOpsSec: Securing software through continuous delivery
– https://www.safaribooksonline.com/library/view/devopssec/978149197
1413/
• DevOps Audit Defense Toolkit
– https://itrevolution.com/devops-audit-defense-toolkit/
• The DevOps Handbook: How to Create World-Class Agility, Reliability, and
Security in Technology Organizations
– Chapter 19
– Section VI
– Appendix 9
– https://www.amazon.ca/DevOps-Handbook-World-Class-Reliability-
Organizations/dp/1942788002

34.
References
• Accelerate: The Science of Lean Software and DevOps: Building and
Scaling High Performing Technology Organizations
– Chapter 6
– https://www.amazon.ca/Accelerate-Software-Performing-Technology-
Organizations/dp/1942788339/
• Incident Management for Operations
– https://www.amazon.ca/Incident-Management-Operations-Rob-
Schnepp/dp/1491917628/
• Pagerduty Incident Response
– https://response.pagerduty.com/
• Incident Response: Trade-offs Under Pressure
– https://www.slideshare.net/InfoQ/incident-response-tradeoffs-under-
pressure

35.
References
• Blameless PostMortems and a Just Culture
– https://codeascraft.com/2012/05/22/blameless-postmortems/
• The infinite hows
– https://www.oreilly.com/ideas/the-infinite-hows
• Debriefing Facilitation Guide
– https://extfiles.etsy.com/DebriefingFacilitationGuide.pdf
• Was it technical failure or human error?
– https://www.youtube.com/watch?v=Ygx2AI2RtkI
• AWS Monitoring & Logging
– https://www.slideshare.net/JasonPoley/aws-monitoring-logging
• Container & Microservice Security
– https://www.youtube.com/watch?v=8tDpGyVV8OQ
• How the Human Brain Buys Security
– https://www.schneier.com/essays/archives/2008/07/how_the_human_
brain.html