SlideShare uma empresa Scribd logo

S360 2015 dev_secops_program

Transferir como PPTX, PDF
Shannon Lietz
Shannon Lietz

Secure360 is a great conference in Minnesota every year. We presented how to establish a DevSecOps Program there in 2015.

Tecnologia
1 de 22
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Establishing a DevSecOps Program Shannon Lietz DevSecOps Leader & Sr. Mgr Cloud Security Engineering at Intuit
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Who I am • 25+ years Technology and Security Experience • Background in Security R&D • Working with the Cloud before it was called the “Cloud” • Manage my teams using DevOps and Scrum • IR & Crisis Management -- FOUNDER --
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org How was DevSecOps discovered? Securing at the rate of Innovation… • Pain • Trial & Error • Blood, sweat & tears • Ouch, my head hurts! It would have been great to hear this talk a couple years ago…. Bang Head Here
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Case for Change • DevOps, Agile and Scrum on the rise… • Workload migrations to software defined environments…. • Enterprises increasingly turning to Public and Private Cloud Providers… • Talent migrating to progressive companies willing to embrace change… • Start-ups now have game changing capabilities available for rent… Public Cloud • Competitive landscape has been changing…
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org What is DevSecOps? Problem Statement • DevOps requires continuous Deployments • Fast decision making is critical to DevOps success • Traditional Security just doesn’t scale or move fast enough… Welcome DevSecOps!! • Customer focused Mindset • Scale, Scale, Scale • Objective Criteria • Proactive Hunting • Continuous Detection & Response
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Emerging Security Trends • Shortage of Security Professionals • Big companies are attempting to scale security to move faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason Chan, Gene Kim, Josh Corman • Introduction of DevSecOps at MIRCon in 2014 • SecDevOps at RSA 2015 was full day of dedicated content • LinkedIn People Search: 8 DevSecOps, 7 SecDevOps, 7 DevOpsSec, 29k+ Cloud Security
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org The Art of DevSecOps DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Getting Started Some basic principles: • You don’t need to do all of DevSecOps at once. • Small security teams can have a profound impact. • Organize around self-service. • Figure out how to communicate security for the layperson.
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Path to DevSecOps Security as Code? Experiment: Automate Policy Governance Security Operations? Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps toolkit Experiment: Science via Profiling DevOps + Security DevOps + DevSecOps Compliance Operations? Science? Start Here?
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org The DevSecOps Mindset • Customer Focus • Open & Transparent • Iteration over Perfection • Hunting over Reaction • Hmmm - wait a minute, this sounds like a manifesto -> insert shameless plug here: http://www.devsecops.org
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org What’s the Work of a DevSecOps Team? Imagine that you will need to support all facets of security inline with development teams and at speed… • Do you have enough security experts to embed resources in DevOps teams? • Have you got amazing talent that would rather hunt for Security defects than create value? • Are you ready to invest in Self-Service for Security? • Are you working with a Cloud environment and can your team code?
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Ready to make these decisions? On-Prem Partial On-Prem Outsource w/ No Indemnif. Outsource w/ Part.Indemnif. Outsource w/ Full Indemnif. Who is responsible? INTERNAL You You You You + Partner Partner PARTNERS Which minimal controls are needed? Physical Security; Secure Handling & Disposal File or Object Encryption for Sensitive Data; Physical Security; Secure Handling & Disposal File or Object Encryption for Sensitive Data; Partner Security; SOC Attestation File or Object Encryption for Sensitive Data; Partner Security; SOC Attestation Partner Security Controls; SOC Attestation Where does data transit and get stored? company “owned” data center or co- location any compute & transit; data stored on-prem public cloud; free services SaaS; public cloud; free services; private cloud managed services; SaaS; private cloud What are the innovation benefits? reduced latency; search sensitive data speed; reduced friction; search sensitive data speed; reduced friction; evolving patterns; community speed; reduced friction; evolving patterns; community speed; reduced friction; indemnification What are the potential risks? SQL Injection; Internal Threats; Mistakes; Phishing; Increased Friction; Slow Latency; SQL Injection; Internal Threats; Mistakes; Phishing; Increased Friction; Slow Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown; Reduced Financial responsibility Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Or set up “policies” that look like this… { "Version": "2015-05-09", "Statement": { "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetAccountPasswordPolicy" ], "Resource": "*" } }
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org And how do you hunt for security issues in software defined environments?
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Can you communicate security complexity using simple processes? 1Discover 2Evaluate 3Control 4Communicate
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org More importantly, how do you translate? begin (iam.client.list_role_policies(:role_name => role)[:policy_names] - roledb.list_policies(role)).each do |policy| log.warn("Deleting Policy "#{policy}", which is not part of the approved baseline.") if policydiff("{}", URI.decode(iam.client.get_role_policy( :role_name => role, :policy_name => policy )[:policy_document]), {:argv => ARGV, :diff => options.diff}) end options.dryrun ? nil : iam.client.delete_role_policy( :role_name => role, :policy_name => policy ) end Account Grade: BHeal Account?
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Consider the DevSecOps Approach: Incident Drive Development (IDD) • Share your Security Tools within everyone in your organization • Everything is an incident, how you deal with it is a matter of priority and severity • Running campaigns & internal bounty programs, consider giving out t-shirts • Use your security experts as scientists • Keep Investigations separate
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Your environment should look something like this… insights security sciencesecurity tools & data AWS accounts S3 Glacier EC2 CloudTrail ingestion threat intel
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org And your team will need to operate like this… Central Account (Trusted) Admin IAM IAMIAM IAM IAM IAM BU Accounts (Trusting) SecRole SecRole SecRole SecRole SecRole SecRole IAM How did we decide which roles would be deployed? • Human • IAM Admin • Incident Response • Read Only • Services • IAM Grantor • Instance Roles required to support security services • Read Only
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org It’s not easy but it can make a difference… • Security stops being the reason nothing gets done. • Everyone in your organization is responsible for security. • Security can be a differentiator in most organizations and leads to its own innovation discovery
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Vendors embracing DevSecOps • AWS • TAP by Mandiant • SumoLogic • Splunk • OpenDNS • Evident.io • AlertLogic • Tanium • Outlier Security • Continuum Security
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Resources • http://www.devsecops.org • @devsecops • LinkedIn Group: DevSecOps • Github: DevSecOps • shannon@devsecops.org

Recomendados

ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
Shannon Lietz
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software Development
DevOps.com
 

Recomendados

ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
Shannon Lietz
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software Development
DevOps.com
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
Adrian Sanabria
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps
Uleska
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
Aaron Rinehart
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
Aaron Rinehart
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
Aaron Rinehart
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
Amazon Web Services
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
Aaron Rinehart
 
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Jason Mashak
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
Aaron Rinehart
 
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Jason Mashak
 
Runecast Analyzer Overview
Runecast Analyzer OverviewRunecast Analyzer Overview
Runecast Analyzer Overview
Stanimir Markov
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
Kennedy
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
Adrian Sanabria
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
DevOps Indonesia
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
Amazon Web Services
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
Keet Sugathadasa
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
Shannon Lietz
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
Shannon Lietz
 

Mais conteúdo relacionado

Mais procurados

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps
Uleska
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
Aaron Rinehart
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
Aaron Rinehart
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
Amazon Web Services
 
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Jason Mashak
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
Kennedy
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
Amazon Web Services
 

Mais procurados (20)

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
 
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
 
Runecast Analyzer Overview
Runecast Analyzer OverviewRunecast Analyzer Overview
Runecast Analyzer Overview
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 

Destaque

Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application delivery
DevSecCon
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
DevSecCon
 

Destaque (20)

DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application delivery
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
 
DevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August Meetup
 

Semelhante a S360 2015 dev_secops_program

(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
Amazon Web Services
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
Daniel Liber
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Amazon Web Services
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
lior mazor
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
Turja Narayan Chaudhuri
 

Semelhante a S360 2015 dev_secops_program (20)

(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Working on DevSecOps culture - a team centric view
Working on DevSecOps culture - a team centric viewWorking on DevSecOps culture - a team centric view
Working on DevSecOps culture - a team centric view
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
Salesforce x DevOps 101.pdf
Salesforce x DevOps 101.pdfSalesforce x DevOps 101.pdf
Salesforce x DevOps 101.pdf
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
 

Último

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

S360 2015 dev_secops_program

  • 1. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Establishing a DevSecOps Program Shannon Lietz DevSecOps Leader & Sr. Mgr Cloud Security Engineering at Intuit
  • 2. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Who I am • 25+ years Technology and Security Experience • Background in Security R&D • Working with the Cloud before it was called the “Cloud” • Manage my teams using DevOps and Scrum • IR & Crisis Management -- FOUNDER --
  • 3. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org How was DevSecOps discovered? Securing at the rate of Innovation… • Pain • Trial & Error • Blood, sweat & tears • Ouch, my head hurts! It would have been great to hear this talk a couple years ago…. Bang Head Here
  • 4. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Case for Change • DevOps, Agile and Scrum on the rise… • Workload migrations to software defined environments…. • Enterprises increasingly turning to Public and Private Cloud Providers… • Talent migrating to progressive companies willing to embrace change… • Start-ups now have game changing capabilities available for rent… Public Cloud • Competitive landscape has been changing…
  • 5. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org What is DevSecOps? Problem Statement • DevOps requires continuous Deployments • Fast decision making is critical to DevOps success • Traditional Security just doesn’t scale or move fast enough… Welcome DevSecOps!! • Customer focused Mindset • Scale, Scale, Scale • Objective Criteria • Proactive Hunting • Continuous Detection & Response
  • 6. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Emerging Security Trends • Shortage of Security Professionals • Big companies are attempting to scale security to move faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason Chan, Gene Kim, Josh Corman • Introduction of DevSecOps at MIRCon in 2014 • SecDevOps at RSA 2015 was full day of dedicated content • LinkedIn People Search: 8 DevSecOps, 7 SecDevOps, 7 DevOpsSec, 29k+ Cloud Security
  • 7. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org The Art of DevSecOps DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast
  • 8. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Getting Started Some basic principles: • You don’t need to do all of DevSecOps at once. • Small security teams can have a profound impact. • Organize around self-service. • Figure out how to communicate security for the layperson.
  • 9. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Path to DevSecOps Security as Code? Experiment: Automate Policy Governance Security Operations? Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps toolkit Experiment: Science via Profiling DevOps + Security DevOps + DevSecOps Compliance Operations? Science? Start Here?
  • 10. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org The DevSecOps Mindset • Customer Focus • Open & Transparent • Iteration over Perfection • Hunting over Reaction • Hmmm - wait a minute, this sounds like a manifesto -> insert shameless plug here: http://www.devsecops.org
  • 11. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org What’s the Work of a DevSecOps Team? Imagine that you will need to support all facets of security inline with development teams and at speed… • Do you have enough security experts to embed resources in DevOps teams? • Have you got amazing talent that would rather hunt for Security defects than create value? • Are you ready to invest in Self-Service for Security? • Are you working with a Cloud environment and can your team code?
  • 12. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Ready to make these decisions? On-Prem Partial On-Prem Outsource w/ No Indemnif. Outsource w/ Part.Indemnif. Outsource w/ Full Indemnif. Who is responsible? INTERNAL You You You You + Partner Partner PARTNERS Which minimal controls are needed? Physical Security; Secure Handling & Disposal File or Object Encryption for Sensitive Data; Physical Security; Secure Handling & Disposal File or Object Encryption for Sensitive Data; Partner Security; SOC Attestation File or Object Encryption for Sensitive Data; Partner Security; SOC Attestation Partner Security Controls; SOC Attestation Where does data transit and get stored? company “owned” data center or co- location any compute & transit; data stored on-prem public cloud; free services SaaS; public cloud; free services; private cloud managed services; SaaS; private cloud What are the innovation benefits? reduced latency; search sensitive data speed; reduced friction; search sensitive data speed; reduced friction; evolving patterns; community speed; reduced friction; evolving patterns; community speed; reduced friction; indemnification What are the potential risks? SQL Injection; Internal Threats; Mistakes; Phishing; Increased Friction; Slow Latency; SQL Injection; Internal Threats; Mistakes; Phishing; Increased Friction; Slow Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown; Reduced Financial responsibility Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown
  • 13. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Or set up “policies” that look like this… { "Version": "2015-05-09", "Statement": { "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetAccountPasswordPolicy" ], "Resource": "*" } }
  • 14. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org And how do you hunt for security issues in software defined environments?
  • 15. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Can you communicate security complexity using simple processes? 1Discover 2Evaluate 3Control 4Communicate
  • 16. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org More importantly, how do you translate? begin (iam.client.list_role_policies(:role_name => role)[:policy_names] - roledb.list_policies(role)).each do |policy| log.warn("Deleting Policy "#{policy}", which is not part of the approved baseline.") if policydiff("{}", URI.decode(iam.client.get_role_policy( :role_name => role, :policy_name => policy )[:policy_document]), {:argv => ARGV, :diff => options.diff}) end options.dryrun ? nil : iam.client.delete_role_policy( :role_name => role, :policy_name => policy ) end Account Grade: BHeal Account?
  • 17. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Consider the DevSecOps Approach: Incident Drive Development (IDD) • Share your Security Tools within everyone in your organization • Everything is an incident, how you deal with it is a matter of priority and severity • Running campaigns & internal bounty programs, consider giving out t-shirts • Use your security experts as scientists • Keep Investigations separate
  • 18. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Your environment should look something like this… insights security sciencesecurity tools & data AWS accounts S3 Glacier EC2 CloudTrail ingestion threat intel
  • 19. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org And your team will need to operate like this… Central Account (Trusted) Admin IAM IAMIAM IAM IAM IAM BU Accounts (Trusting) SecRole SecRole SecRole SecRole SecRole SecRole IAM How did we decide which roles would be deployed? • Human • IAM Admin • Incident Response • Read Only • Services • IAM Grantor • Instance Roles required to support security services • Read Only
  • 20. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org It’s not easy but it can make a difference… • Security stops being the reason nothing gets done. • Everyone in your organization is responsible for security. • Security can be a differentiator in most organizations and leads to its own innovation discovery
  • 21. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Vendors embracing DevSecOps • AWS • TAP by Mandiant • SumoLogic • Splunk • OpenDNS • Evident.io • AlertLogic • Tanium • Outlier Security • Continuum Security
  • 22. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Resources • http://www.devsecops.org • @devsecops • LinkedIn Group: DevSecOps • Github: DevSecOps • shannon@devsecops.org

Notas do Editor

  1. Disclaimer: The content in this presentation represents my own views and does not reflect an endorsement by my employer.
  2. Attribution: Erik Peterson at RSA 2015
  3. Security teams and DevOps must search the same security repositories and build rules to detect anomalies Everything is an incident, how you deal with it is a matter of priority and severity Running campaigns can have a profound impact in reducing attack surface, consider giving out t-shirts Investigation tools and Search history for Investigators are kept separate for disclosure purposes