SlideShare uma empresa Scribd logo

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSec Life - Matt Tesauro

•Transferir como ODP, PDF•
•
PROIDEA
PROIDEA

Speaker: Matt Tesauro Language: English CONFidence: http://confidence.org.pl/pl/

Software
1 de 46
Matt Tesauro Pearson Lessons from DevOps: Taking DevOps practices into your AppSec Life
5 months with Pearson Application Security Lead Engineer Prior to Pearson Rackspace - Lead Engineer, Product Security AppSec consulting – VP Services, Praetorian – Consultant Trustwave’s Spiderlabs TEA - Senior Security Engineer DIR - Penetration Tester Texas A&M University – Systems Analyst, Sys Admin, Developer, DBA – Lecturer in MIS department Viatel - Internet App Developer
Other professional experience OWASP Live CD / OWASP WTE – Project lead 2008 to present, over 300K downloads – http://appseclive.org OWASP Foundation Board of Directors – International charity focused on improving software security Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences Application Security Training internationally B.S. Economics, M.S. in MIS – Strong believer in the value of cross- discipline study
The Problem – Cycle time for software is getting shorter – Continuous delivery is a goal – Scanning windows are not viable – First mover / first to market advantage
More Problems.. Traditional software development left little time to test DevOps, Agile and Continuous Delivery squeeze those windows even more New languelages and programming methods aren’t making this better – Growth of interpreted languages with loose typing hurts static analysis efforts – Few automated tools to test APIs especially RESTful APIs Little time for any testing, manual testing is doomed
The Solution - Automated software testing - Automated operational infrastructure - Automated security testing
“Don’t get set into one form, adapt it and build your own, and let it grow, be like water”.
A time to morn
Traditional Software Dev & Ops The old way... Very early and prescriptive requirements and design Long development cycles Waterfall Approach Groups work in Silos - Dev, SysAdmin, QA, Security Possible feedback from bug reports but little else Throwing code over the wall
Waterfall Development
Why DevOps came to be What's different about DevOps Web/Cloud companies needed - high availability - fast introduction of new features Easy for users to switch to a competing service + fist mover advantage No media to ship with SaaS models Cultural change – not just new cool tech aka CI/CD, Docker... Focus on clear business objectives Dev and SysAdmins share responsibility for uptime, deploys, downtime Emphasize people and process, repeatability Goal is better uptime and lower operational costs The DevOps Answer
"Notice that the stiffest tree is most easily cracked, while the bamboo or willow survives by bending with the wind."
The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
Workflow The 3 Ways of DevOps 1 2 3
Look at your purpose and those process which aid it ● Make sure the process is correct from beginning to the end Then look at ways to speed up that process ● Value Stream – the name a the process which provides value to the business ● Working from left to right – think of a time line: business / development => customer / operations ● Flow [rate] – the speed work goes through the process #1 - Workflow
An example workflow Software release process ● Code written ● Code committed to a code repository ● Unit test the code ● Package the code for deployment ● Integration testing ● Deploy code to production #1 - Workflow
The AppSec Pipeline
Key Features of AppSec Pipelines • Designed for iterative improvement • Provides a reusable path for AppSec activities to follow • Provides a consistent process for both the team and our constituency • One way flow with well-defined states • Relies heavily on automation • Has the ability to grow in function organically over time • Gracefully interconnects with the development process
Spending time optimizing anything other than the critical resource is an illusion. - Edward Deming
Key Goals of AppSec Pipelines • Optimize the critical resource – App Sec personnel • Automate all the things that don’t require a human brain • Drive up consistency • Increase tracking of work status • Increase flow through the system • Increase visibility and metrics • Reduce any dev team friction with application security
Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
Pipeline – the Middle • Inbound request triage • Ala Carte App Sec • Dynamic Testing • Static Testing • Re-Testing mitigated findings • Mix and match based on risk • Key Concepts • Activities can be run in parallel • Automation on setup, configuration, data export • Focus people on customization rather than setup
Pipeline – the End • Source of truth for all AppSec activities • ThreadFix is used to • Dedup / Consolidate findings • Normalize scanner data • Generate Metrics • Push issues to bug trackers • Report and metrics automation • REST + tfclient • Source of many touch points with external teams
Why we like AppSec Pipelines • Allow us to have visibility into WIP • Better understand/track/optimize flow of engagements • Average static test takes ... • Great increase in consistency • Easier re-allocation of engagements between staff • Each step has a well defined interface • Knowing who has what allows for more informed “cost of switching” conversations • Flexible enough for a range of skills and app maturity
If you want to hear more... AppSec EU 2015 – talk slides & video
Making things repeatable Remove all haphazard and ad hoc work from the process Repeat until stable, I like doing the first couple times manually with a 'run book' Scripting languages are your friends Config Mgmt – Puppet, Chef, Salt, Ansible, Jenkins, CFEngine, … Creating deployable artifacts from a branch/release aka .rpm / .deb / .msi Make sure what you do can be done on 1 server or 10,000 servers #1 - Workflow Each Step Repeatable
Making things repeatable in AppSec Make tests easily repeatable You will be re-testing after dev fixes so repeatable tests help retesting You can hand them to devs to test as they write mitigation Make tests easy to understand You will likely be handing work off between App Sec staff or to devs Make tests abstract and combine-able Ala carte tests for mixing and matching Think about the Unix pipe | and its power #1 - Workflow Each Step Repeatable
"I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times."
Work left to right but don't pass on failures For AppSec, Defects == False Positives Test early and often Increase the rigor of testing as you work left to right When a failure occurs, end that flow and start a new one after corrections The further right you are, the more expensive failure is #1 - Workflow Never Pass on Defects If you can automate code review, you still must triage 1 false positive == 100 valid bugs If results aren't actionable, you've failed Best security ROI is findings early in the dev lifecycle
Your fix cannot be my new problem Ensure no single-step optimizations degrade overall performance Spending time optimizing anything other than the critical resource is an illusion. Find the bottle neck in your workflow and start there - Upstream changes will just back things up - Downstream changes won't manifest since input is limited Each new optimization creates a new bottleneck – iterate on this #1 - Workflow Local optimizations with a global view Now go faster Make sure you have a well-defined, repeatable process first Look for manual steps that can be automated Look for duplicate work that can be removed/eliminated Measuring/tracking time taken at each step is crucial Where does the flow ebb? Increase the flow of work
Workflow Improve Feedback The 3 Ways of DevOps 1 2 3
Open yourself to upstream and downstream information Feedback loops occur when information is gathered from - upstream (business / development) - downstream (customer / operations) Make visible problems, concerns, potential improvements – share this publicly within your company Learn as you move left to right so improvements aren't lost Requests are opportunities to better fulfill the needs of the business There is rarely enough feedback, capture and look for more Feedback collected can be used to optimally improve the system #2 – Improve Feedback
Customers are also inside your business Customer is more then the 'consumer' at the end of the process - Each step is the customer of the previous step - Understand what the next steps need from you to succeed Remember, feedback isn't guaranteed - encourage it by responding Make feedback & responding quick, easy and readily available #2 – Improve Feedback Understand and respond to your customers Embed knowledge when needed Go all in Keep specialized knowledge out of people's heads and into the system - Check it into source control – automatically versioned. Moving left to right, keep needed info in the stage that requires it
Workflow Improve Feedback Continual Experimentation and Learning The 3 Ways of DevOps 1 2 3
Create a culture of innovation and experimentation The fundamentals are now solid, what can your new knowledge buy you? The business culture must allow for and embrace innovation & experimentation Two essential things must be understood by the business and all involved - We can learn from the failed experiments and risks we take - Mastery comes with repetition and practice and you won't be a master the first N times you practice #3 – Continual Experimentation & Learning
Findings directly to bug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog - do security sprints • Learn how the team treats issues • ThreadFix is nice for metrics and pumping issues into issue trackers - http://code.google.com/p/threadfix/
For the reticent: nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and bug tracker APIs • Get management sold first
Automating Infrastructure • Declarative configuration language • Plain-text configuration in source control • Fully programmatic, no manual interactions
Cookbooks, Stacks, Playbooks, ... • Most have methods to bundle / share automation routines • You will have to write your own / customize • Good place to spend security cycles -Merge patches upstream for extra good karma points.
Grouping & Tagging • Tagging your servers applies the required set of automation • A base set of for all servers • Each server can have multiple tags • Map tags to security requirements Node Node Node Node DB Node Node Node Node Cache Node Node Node Node Web Apache Monitoring MySql Memcache Works for Clouds Too!
Inspector – you need one • For each group and/or tag • Review the recipe, do a PR aka Pull Request • Hook provisioning for post deploy review • Focus on checking for code compliance -Not perfection, bare minimums • Can include multiple facets -Security, Scalability, Compliance • Vuln scanners – manual or auto • Jenkins Job + Lynis (open source)
Agent – one mole to rule them all • Add an agent to the standard deploy • Read-only helps sell to SysAdmin • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Create your own or find a vendor Mozilla MIG
Turn Vuln scanning on its head • Add value for your ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
• Automate, automate, automate • Look for “paper cuts” and fix those first • Finding workflow – your AppSec Pipeline • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • Finding blocks become templates for next time • Learn to talk “dev” Key Take Aways
The Phoenix Project The Practice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
Questions? Thank You

Recomendados

Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroMatt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
DevOps 101 for Government
DevOps 101 for GovernmentDevOps 101 for Government
DevOps 101 for GovernmentSanjeev Sharma
 
IBM Innovate - Uderstanding DevOps
IBM Innovate - Uderstanding DevOpsIBM Innovate - Uderstanding DevOps
IBM Innovate - Uderstanding DevOpsSanjeev Sharma
 
DevOps 101
DevOps 101DevOps 101
DevOps 101satya sudheer
 
DevOps Overview
DevOps OverviewDevOps Overview
DevOps OverviewOmri Spector
 
The Devops Handbook
The Devops HandbookThe Devops Handbook
The Devops HandbookHarish Kamugakudi Marimuthu
 
Dev ops
Dev opsDev ops
Dev opsPHAGUNJAIN1
 

Recomendados

Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroMatt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
DevOps 101 for Government
DevOps 101 for GovernmentDevOps 101 for Government
DevOps 101 for GovernmentSanjeev Sharma
 
IBM Innovate - Uderstanding DevOps
IBM Innovate - Uderstanding DevOpsIBM Innovate - Uderstanding DevOps
IBM Innovate - Uderstanding DevOpsSanjeev Sharma
 
DevOps 101
DevOps 101DevOps 101
DevOps 101satya sudheer
 
DevOps Overview
DevOps OverviewDevOps Overview
DevOps OverviewOmri Spector
 
The Devops Handbook
The Devops HandbookThe Devops Handbook
The Devops HandbookHarish Kamugakudi Marimuthu
 
Dev ops
Dev opsDev ops
Dev opsPHAGUNJAIN1
 
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaSite Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaKeet Sugathadasa
 
Webinar: A Roadmap for DevOps Success
Webinar: A Roadmap for DevOps SuccessWebinar: A Roadmap for DevOps Success
Webinar: A Roadmap for DevOps SuccessJules Pierre-Louis
 
DevOps for beginners
DevOps for beginnersDevOps for beginners
DevOps for beginnersPradeep Patel, PMPÂŽ
 
DevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOps
DevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOpsDevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOps
DevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOpsSailaja Tennati
 
Enterprise DevOps
Enterprise DevOps Enterprise DevOps
Enterprise DevOps Liam McDowell
 
DevOps: A Practical Guide
DevOps: A Practical GuideDevOps: A Practical Guide
DevOps: A Practical GuideVictorOps
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous IntegrationPreetam Palwe
 
7 Practices to Expand Performance and Effective Collaboration in DevOps
7 Practices to Expand Performance and Effective Collaboration in DevOps7 Practices to Expand Performance and Effective Collaboration in DevOps
7 Practices to Expand Performance and Effective Collaboration in DevOpsDynatrace
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...SlideTeam
 
Mainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled RoadmapMainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled RoadmapDevOps.com
 
DevOps 101
DevOps 101DevOps 101
DevOps 101Ernest Mueller
 
Building an automated database deployment pipeline
Building an automated database deployment pipelineBuilding an automated database deployment pipeline
Building an automated database deployment pipelineRed Gate Software
 
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...Matt Ray
 
DevOps Roadtrip Final Speaking Deck
DevOps Roadtrip Final Speaking Deck DevOps Roadtrip Final Speaking Deck
DevOps Roadtrip Final Speaking Deck VictorOps
 
Bn1006 demo ppt devops
Bn1006 demo ppt devopsBn1006 demo ppt devops
Bn1006 demo ppt devopsconline training
 
DevOps unraveled - Nyenrode masterclass on Agile Management
DevOps unraveled - Nyenrode masterclass on Agile ManagementDevOps unraveled - Nyenrode masterclass on Agile Management
DevOps unraveled - Nyenrode masterclass on Agile ManagementInspectie van het Onderwijs
 
DevOps and Tools
DevOps and ToolsDevOps and Tools
DevOps and ToolsMohammed Fazuluddin
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle IntroductionGanesh Samarthyam
 
DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...
DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...
DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...Cisco DevNet
 
Starting and Scaling DevOps
Starting and Scaling DevOpsStarting and Scaling DevOps
Starting and Scaling DevOpsJules Pierre-Louis
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Using Lean Thinking to identify and address Delivery Pipeline bottlenecks
Using Lean Thinking to identify and address Delivery Pipeline bottlenecksUsing Lean Thinking to identify and address Delivery Pipeline bottlenecks
Using Lean Thinking to identify and address Delivery Pipeline bottlenecksSanjeev Sharma
 

Mais conteĂşdo relacionado

Mais procurados

Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaSite Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaKeet Sugathadasa
 
Webinar: A Roadmap for DevOps Success
Webinar: A Roadmap for DevOps SuccessWebinar: A Roadmap for DevOps Success
Webinar: A Roadmap for DevOps SuccessJules Pierre-Louis
 
DevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOps
DevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOpsDevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOps
DevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOpsSailaja Tennati
 
Enterprise DevOps
Enterprise DevOps Enterprise DevOps
Enterprise DevOps Liam McDowell
 
DevOps: A Practical Guide
DevOps: A Practical GuideDevOps: A Practical Guide
DevOps: A Practical GuideVictorOps
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous IntegrationPreetam Palwe
 
7 Practices to Expand Performance and Effective Collaboration in DevOps
7 Practices to Expand Performance and Effective Collaboration in DevOps7 Practices to Expand Performance and Effective Collaboration in DevOps
7 Practices to Expand Performance and Effective Collaboration in DevOpsDynatrace
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...SlideTeam
 
Mainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled RoadmapMainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled RoadmapDevOps.com
 
Building an automated database deployment pipeline
Building an automated database deployment pipelineBuilding an automated database deployment pipeline
Building an automated database deployment pipelineRed Gate Software
 
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...Matt Ray
 
DevOps Roadtrip Final Speaking Deck
DevOps Roadtrip Final Speaking Deck DevOps Roadtrip Final Speaking Deck
DevOps Roadtrip Final Speaking Deck VictorOps
 
Bn1006 demo ppt devops
Bn1006 demo ppt devopsBn1006 demo ppt devops
Bn1006 demo ppt devopsconline training
 
DevOps unraveled - Nyenrode masterclass on Agile Management
DevOps unraveled - Nyenrode masterclass on Agile ManagementDevOps unraveled - Nyenrode masterclass on Agile Management
DevOps unraveled - Nyenrode masterclass on Agile ManagementInspectie van het Onderwijs
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle IntroductionGanesh Samarthyam
 
DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...
DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...
DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...Cisco DevNet
 
Starting and Scaling DevOps
Starting and Scaling DevOpsStarting and Scaling DevOps
Starting and Scaling DevOpsJules Pierre-Louis
 

Mais procurados (20)

Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaSite Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
 
Webinar: A Roadmap for DevOps Success
Webinar: A Roadmap for DevOps SuccessWebinar: A Roadmap for DevOps Success
Webinar: A Roadmap for DevOps Success
 
DevOps for beginners
DevOps for beginnersDevOps for beginners
DevOps for beginners
 
DevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOps
DevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOpsDevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOps
DevOps Summit 2015 Presentation: Continuous Testing At the Speed of DevOps
 
Enterprise DevOps
Enterprise DevOps Enterprise DevOps
Enterprise DevOps
 
DevOps: A Practical Guide
DevOps: A Practical GuideDevOps: A Practical Guide
DevOps: A Practical Guide
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
7 Practices to Expand Performance and Effective Collaboration in DevOps
7 Practices to Expand Performance and Effective Collaboration in DevOps7 Practices to Expand Performance and Effective Collaboration in DevOps
7 Practices to Expand Performance and Effective Collaboration in DevOps
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
 
Mainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled RoadmapMainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled Roadmap
 
DevOps 101
DevOps 101DevOps 101
DevOps 101
 
Building an automated database deployment pipeline
Building an automated database deployment pipelineBuilding an automated database deployment pipeline
Building an automated database deployment pipeline
 
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
 
DevOps Roadtrip Final Speaking Deck
DevOps Roadtrip Final Speaking Deck DevOps Roadtrip Final Speaking Deck
DevOps Roadtrip Final Speaking Deck
 
Bn1006 demo ppt devops
Bn1006 demo ppt devopsBn1006 demo ppt devops
Bn1006 demo ppt devops
 
DevOps unraveled - Nyenrode masterclass on Agile Management
DevOps unraveled - Nyenrode masterclass on Agile ManagementDevOps unraveled - Nyenrode masterclass on Agile Management
DevOps unraveled - Nyenrode masterclass on Agile Management
 
DevOps and Tools
DevOps and ToolsDevOps and Tools
DevOps and Tools
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle Introduction
 
DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...
DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...
DEVNET-2015 DevOps In Depth - Damon Edwards on DevOps Kaizen: Building an Ent...
 
Starting and Scaling DevOps
Starting and Scaling DevOpsStarting and Scaling DevOps
Starting and Scaling DevOps
 

Semelhante a CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSec Life - Matt Tesauro

Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Using Lean Thinking to identify and address Delivery Pipeline bottlenecks
Using Lean Thinking to identify and address Delivery Pipeline bottlenecksUsing Lean Thinking to identify and address Delivery Pipeline bottlenecks
Using Lean Thinking to identify and address Delivery Pipeline bottlenecksSanjeev Sharma
 
Webinar - Design Thinking for Platform Engineering
Webinar - Design Thinking for Platform EngineeringWebinar - Design Thinking for Platform Engineering
Webinar - Design Thinking for Platform EngineeringOpenCredo
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAdam Stephensen
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Continuous delivery best practices and essential tools
Continuous delivery best practices and essential toolsContinuous delivery best practices and essential tools
Continuous delivery best practices and essential toolsDBmaestro - Database DevOps
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon KeynoteShannon Lietz
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0
Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0
Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0minseok kim
 
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesDevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesayoubbahaddouayoub
 
Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"Peter Marshall
 
Introduction to continuous delivery
Introduction to continuous deliveryIntroduction to continuous delivery
Introduction to continuous deliveryOlympicSoftware
 
Continuous Delivery - the missing parts - Paul Stack
Continuous Delivery - the missing parts - Paul StackContinuous Delivery - the missing parts - Paul Stack
Continuous Delivery - the missing parts - Paul StackJAXLondon_Conference
 
Introduction to Software Engineering
Introduction to Software EngineeringIntroduction to Software Engineering
Introduction to Software EngineeringSaqib Raza
 
Introduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptxIntroduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptxaasssss1
 

Semelhante a CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSec Life - Matt Tesauro (20)

Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Using Lean Thinking to identify and address Delivery Pipeline bottlenecks
Using Lean Thinking to identify and address Delivery Pipeline bottlenecksUsing Lean Thinking to identify and address Delivery Pipeline bottlenecks
Using Lean Thinking to identify and address Delivery Pipeline bottlenecks
 
Webinar - Design Thinking for Platform Engineering
Webinar - Design Thinking for Platform EngineeringWebinar - Design Thinking for Platform Engineering
Webinar - Design Thinking for Platform Engineering
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project success
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Continuous delivery best practices and essential tools
Continuous delivery best practices and essential toolsContinuous delivery best practices and essential tools
Continuous delivery best practices and essential tools
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
Lect7
Lect7Lect7
Lect7
 
Lect7
Lect7Lect7
Lect7
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
Tell me how you provision and I'll tell you how you are
Tell me how you provision and I'll tell you how you areTell me how you provision and I'll tell you how you are
Tell me how you provision and I'll tell you how you are
 
Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0
Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0
Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0
 
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesDevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practices
 
Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"
 
Introduction to continuous delivery
Introduction to continuous deliveryIntroduction to continuous delivery
Introduction to continuous delivery
 
Continuous Delivery - the missing parts - Paul Stack
Continuous Delivery - the missing parts - Paul StackContinuous Delivery - the missing parts - Paul Stack
Continuous Delivery - the missing parts - Paul Stack
 
Dev ops
Dev opsDev ops
Dev ops
 
Introduction to Software Engineering
Introduction to Software EngineeringIntroduction to Software Engineering
Introduction to Software Engineering
 
Introduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptxIntroduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptx
 

Último

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 

Último (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSec Life - Matt Tesauro

  • 1. Matt Tesauro Pearson Lessons from DevOps: Taking DevOps practices into your AppSec Life
  • 2. 5 months with Pearson Application Security Lead Engineer Prior to Pearson Rackspace - Lead Engineer, Product Security AppSec consulting – VP Services, Praetorian – Consultant Trustwave’s Spiderlabs TEA - Senior Security Engineer DIR - Penetration Tester Texas A&M University – Systems Analyst, Sys Admin, Developer, DBA – Lecturer in MIS department Viatel - Internet App Developer
  • 3. Other professional experience OWASP Live CD / OWASP WTE – Project lead 2008 to present, over 300K downloads – http://appseclive.org OWASP Foundation Board of Directors – International charity focused on improving software security Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences Application Security Training internationally B.S. Economics, M.S. in MIS – Strong believer in the value of cross- discipline study
  • 4. The Problem – Cycle time for software is getting shorter – Continuous delivery is a goal – Scanning windows are not viable – First mover / first to market advantage
  • 5. More Problems.. Traditional software development left little time to test DevOps, Agile and Continuous Delivery squeeze those windows even more New languelages and programming methods aren’t making this better – Growth of interpreted languages with loose typing hurts static analysis efforts – Few automated tools to test APIs especially RESTful APIs Little time for any testing, manual testing is doomed
  • 6. The Solution - Automated software testing - Automated operational infrastructure - Automated security testing
  • 7. “Don’t get set into one form, adapt it and build your own, and let it grow, be like water”.
  • 8. A time to morn
  • 9. Traditional Software Dev & Ops The old way... Very early and prescriptive requirements and design Long development cycles Waterfall Approach Groups work in Silos - Dev, SysAdmin, QA, Security Possible feedback from bug reports but little else Throwing code over the wall
  • 11. Why DevOps came to be What's different about DevOps Web/Cloud companies needed - high availability - fast introduction of new features Easy for users to switch to a competing service + fist mover advantage No media to ship with SaaS models Cultural change – not just new cool tech aka CI/CD, Docker... Focus on clear business objectives Dev and SysAdmins share responsibility for uptime, deploys, downtime Emphasize people and process, repeatability Goal is better uptime and lower operational costs The DevOps Answer
  • 12. "Notice that the stiffest tree is most easily cracked, while the bamboo or willow survives by bending with the wind."
  • 13. The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
  • 14. Workflow The 3 Ways of DevOps 1 2 3
  • 15. Look at your purpose and those process which aid it ● Make sure the process is correct from beginning to the end Then look at ways to speed up that process ● Value Stream – the name a the process which provides value to the business ● Working from left to right – think of a time line: business / development => customer / operations ● Flow [rate] – the speed work goes through the process #1 - Workflow
  • 16. An example workflow Software release process ● Code written ● Code committed to a code repository ● Unit test the code ● Package the code for deployment ● Integration testing ● Deploy code to production #1 - Workflow
  • 18. Key Features of AppSec Pipelines • Designed for iterative improvement • Provides a reusable path for AppSec activities to follow • Provides a consistent process for both the team and our constituency • One way flow with well-defined states • Relies heavily on automation • Has the ability to grow in function organically over time • Gracefully interconnects with the development process
  • 19. Spending time optimizing anything other than the critical resource is an illusion. - Edward Deming
  • 20. Key Goals of AppSec Pipelines • Optimize the critical resource – App Sec personnel • Automate all the things that don’t require a human brain • Drive up consistency • Increase tracking of work status • Increase flow through the system • Increase visibility and metrics • Reduce any dev team friction with application security
  • 21. Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
  • 22. Pipeline – the Middle • Inbound request triage • Ala Carte App Sec • Dynamic Testing • Static Testing • Re-Testing mitigated findings • Mix and match based on risk • Key Concepts • Activities can be run in parallel • Automation on setup, configuration, data export • Focus people on customization rather than setup
  • 23. Pipeline – the End • Source of truth for all AppSec activities • ThreadFix is used to • Dedup / Consolidate findings • Normalize scanner data • Generate Metrics • Push issues to bug trackers • Report and metrics automation • REST + tfclient • Source of many touch points with external teams
  • 24. Why we like AppSec Pipelines • Allow us to have visibility into WIP • Better understand/track/optimize flow of engagements • Average static test takes ... • Great increase in consistency • Easier re-allocation of engagements between staff • Each step has a well defined interface • Knowing who has what allows for more informed “cost of switching” conversations • Flexible enough for a range of skills and app maturity
  • 25. If you want to hear more... AppSec EU 2015 – talk slides & video
  • 26. Making things repeatable Remove all haphazard and ad hoc work from the process Repeat until stable, I like doing the first couple times manually with a 'run book' Scripting languages are your friends Config Mgmt – Puppet, Chef, Salt, Ansible, Jenkins, CFEngine, … Creating deployable artifacts from a branch/release aka .rpm / .deb / .msi Make sure what you do can be done on 1 server or 10,000 servers #1 - Workflow Each Step Repeatable
  • 27. Making things repeatable in AppSec Make tests easily repeatable You will be re-testing after dev fixes so repeatable tests help retesting You can hand them to devs to test as they write mitigation Make tests easy to understand You will likely be handing work off between App Sec staff or to devs Make tests abstract and combine-able Ala carte tests for mixing and matching Think about the Unix pipe | and its power #1 - Workflow Each Step Repeatable
  • 28. "I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times."
  • 29. Work left to right but don't pass on failures For AppSec, Defects == False Positives Test early and often Increase the rigor of testing as you work left to right When a failure occurs, end that flow and start a new one after corrections The further right you are, the more expensive failure is #1 - Workflow Never Pass on Defects If you can automate code review, you still must triage 1 false positive == 100 valid bugs If results aren't actionable, you've failed Best security ROI is findings early in the dev lifecycle
  • 30. Your fix cannot be my new problem Ensure no single-step optimizations degrade overall performance Spending time optimizing anything other than the critical resource is an illusion. Find the bottle neck in your workflow and start there - Upstream changes will just back things up - Downstream changes won't manifest since input is limited Each new optimization creates a new bottleneck – iterate on this #1 - Workflow Local optimizations with a global view Now go faster Make sure you have a well-defined, repeatable process first Look for manual steps that can be automated Look for duplicate work that can be removed/eliminated Measuring/tracking time taken at each step is crucial Where does the flow ebb? Increase the flow of work
  • 31. Workflow Improve Feedback The 3 Ways of DevOps 1 2 3
  • 32. Open yourself to upstream and downstream information Feedback loops occur when information is gathered from - upstream (business / development) - downstream (customer / operations) Make visible problems, concerns, potential improvements – share this publicly within your company Learn as you move left to right so improvements aren't lost Requests are opportunities to better fulfill the needs of the business There is rarely enough feedback, capture and look for more Feedback collected can be used to optimally improve the system #2 – Improve Feedback
  • 33. Customers are also inside your business Customer is more then the 'consumer' at the end of the process - Each step is the customer of the previous step - Understand what the next steps need from you to succeed Remember, feedback isn't guaranteed - encourage it by responding Make feedback & responding quick, easy and readily available #2 – Improve Feedback Understand and respond to your customers Embed knowledge when needed Go all in Keep specialized knowledge out of people's heads and into the system - Check it into source control – automatically versioned. Moving left to right, keep needed info in the stage that requires it
  • 34. Workflow Improve Feedback Continual Experimentation and Learning The 3 Ways of DevOps 1 2 3
  • 35. Create a culture of innovation and experimentation The fundamentals are now solid, what can your new knowledge buy you? The business culture must allow for and embrace innovation & experimentation Two essential things must be understood by the business and all involved - We can learn from the failed experiments and risks we take - Mastery comes with repetition and practice and you won't be a master the first N times you practice #3 – Continual Experimentation & Learning
  • 36. Findings directly to bug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog - do security sprints • Learn how the team treats issues • ThreadFix is nice for metrics and pumping issues into issue trackers - http://code.google.com/p/threadfix/
  • 37. For the reticent: nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and bug tracker APIs • Get management sold first
  • 38. Automating Infrastructure • Declarative configuration language • Plain-text configuration in source control • Fully programmatic, no manual interactions
  • 39. Cookbooks, Stacks, Playbooks, ... • Most have methods to bundle / share automation routines • You will have to write your own / customize • Good place to spend security cycles -Merge patches upstream for extra good karma points.
  • 40. Grouping & Tagging • Tagging your servers applies the required set of automation • A base set of for all servers • Each server can have multiple tags • Map tags to security requirements Node Node Node Node DB Node Node Node Node Cache Node Node Node Node Web Apache Monitoring MySql Memcache Works for Clouds Too!
  • 41. Inspector – you need one • For each group and/or tag • Review the recipe, do a PR aka Pull Request • Hook provisioning for post deploy review • Focus on checking for code compliance -Not perfection, bare minimums • Can include multiple facets -Security, Scalability, Compliance • Vuln scanners – manual or auto • Jenkins Job + Lynis (open source)
  • 42. Agent – one mole to rule them all • Add an agent to the standard deploy • Read-only helps sell to SysAdmin • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Create your own or find a vendor Mozilla MIG
  • 43. Turn Vuln scanning on its head • Add value for your ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
  • 44. • Automate, automate, automate • Look for “paper cuts” and fix those first • Finding workflow – your AppSec Pipeline • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • Finding blocks become templates for next time • Learn to talk “dev” Key Take Aways
  • 45. The Phoenix Project The Practice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan