DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again? In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges. Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.

1. ADevSecOpsTale of
Business,
Engineering,and
People
@wickett

2. JamesWickett
Sr. Sec Eng & Dev Advocate @ Verica
Author, LinkedIn Learning
Organizer, DevOps Days Austin, Serverless Days ATX
DevSecOps Days Austin
Author, DevSecOps Handbook (In progress)
@wickett

3. @wickett

4. Get the slides now
wickett@verica.io
@wickett

5. verica.io
An enterprise platform for Continuous Verification,
using Chaos Engineering principles, to take a
proactive and measured approach to preventing
availability and security incidents.
@wickett

6. ATale ofMoney,
Chaos,andWoe
@wickett

7. September 15
1896@wickett

8. William Crush
@wickett

10. Wanted promotion
to growbusiness
@wickett

11. Demolition Derby, but
forTrains
@wickett

12. 1896 introducedthe
ideaofrunningtrain
crashes for Funand
Profit
@wickett

13. William Crush's
innovationwas
makingthe event
"free"
@wickett

14. Crushwentfrom
passengeragentto
big-tentpromoter
@wickett

15. ACityforaDay
Crush,Texas
@wickett

16. @wickett

17. Crush,Texas
Population 40,000
@wickett

18. 200 LawOfficersandaJail
Dozenwaterwells
Watertankers
Concessions from Dallas
Preachersand Politicians
Midwaywith Games
@wickett

19. Biz Model:
Tickets
Concessions
Advertising
@wickett

20. @wickett

21. Crushwas
concernedabout
safety
@wickett

22. @wickett

23. Engineers evaluated
boilers
Laid 4 miles oftrack
Crowdat200yards
Pressat100yards
@wickett

24. Word gotout,
Thomas Edison
wantedto film it
@wickett

25. @wickett

26. 4pm, September 15th,
1896
@wickett

27. “The rumble ofthetwo
trains, faintand far offat
firstbut growing nearer
and more distinctwith
each fleeting second,was
likethe gathering force ofa
cyclone”
@wickett

28. @wickett

29. Thetrains collided
atcombined speed
between 90and 120
mph
@wickett

30. @wickett

31. One secondafter
impactthe boilers
exploded
@wickett

32. @wickett

33. @wickett

34. Steam, Iron,Wood
filledthe sky
@wickett

35. @wickett

36. Aftermath:
» 4 people died
» Crush fired
» Widespread injuries during incident
» More injuries after incident
» Town shut down
» Lawyers brought in for settlements
@wickett

37. @wickett

38. @wickett

39. Fallout
@wickett

40. Days later
Crush rehired
Retired from
the MKT 44
years later
@wickett

41. Demolition Derbyvia
Trains becamea
national
phenomenon
@wickett

42. But, Inthe hundreds
ofevents post-
Crush,the boilers
held
@wickett

43. What I learned:
Chronocentrism exists
Engineering is hard
Blame is easy
@wickett

44. RootCause isaMyth
@wickett

45. Breaches or Failures
won'tstopbusiness
@wickett

46. Experimentationand
Learningare Critical
@wickett

47. DEVSECOPS
@wickett

48. credit to Josh Zimmerman, the original DevOps Jack Handy

49. DEVSECOPS
@wickett

50. First,
Understand DevOps
and howwe got here
@wickett

52. Teh Cloud
@wickett

53. DataSo Big RightNow
@wickett

54. @wickett

56. “DevOps is the inevitable
resultofneedingto do
efficient operations in a
distributed computing
and cloud environment.”
Tom Limoncelli
@wickett

57. “DevOps is nota
technological
problem. DevOps isa
business problem.”
Damon Edwards
@wickett

58. DevOps isan
epistemological
breakthroughjoining
disparate peoplearounda
common problem
@wickett

59. DevOpswas needed
to fixthe inequitable
distribution of
labor
@wickett

60. 10:1
DEV:OPS
@wickett

61. DevOps isjust
anotherwaypointon
Agile'sjourney
acrossthe business
@wickett

62. Ok DevOps,that's
fine.
ButwhyDevSecOps?
@wickett

63. Iasked myselfthis same question
@wickett

64. @wickett

65. Securityfinds itselfinthe
same positionthat
operations did inthe
movementofDevOps
@wickett

66. 100:10:1
DEV:OPS:SEC
@wickett

67. Siloization
@wickett

68. Security, like ops
strugglesto provide
value in most
organizations
@wickett

69. “Companiesare
spendingagreatdeal
on security, butwe
read ofmassive
computer-related
attacks. Clearly
something iswrong.
The rootofthe problem
istwofold:we’re
protectingthewrong
things,andwe’re
hurting productivity
inthe process.”

70. “[Securitybyrisk
assessment]
introducesa
dangerous fallacy:
thatstructured
inadequacyis almost
as good asadequacy
and that underfunded
securityefforts plus
risk managementare
aboutas goodas
properlyfunded
securitywork”

71. “While engineeringteams
are busy deploying
leading-edgetechnologies,
securityteamsare still
focused on fighting
yesterday’s battles.”
SANS 2018 DevSecOps Survey
@wickett

72. "manysecurity
teamsworkwitha
worldviewwhere
their goalisto
inhibit change
as muchas possible"

73. Newtechnology(cloud,
k8s, serverless, ...)and
increased organization
focus on software
deliveryiswhywe need
DevSecOps.
@wickett

74. A Highly Desireable New Breed:
The DevSecOp
@wickett

75. ...notatool
...notaCI/CD pipeline
...can’tbe bought
@wickett

76. An inclusive person
participating inthe
movementof
securityinto
devops.
@wickett

77. DevSecOps Framework:
MEASURE
@wickett

78. Maker Driven
Experimenting
Automating
SafetyAware
Unrestrained Sharing
Ruggedizing
Empathy
@wickett

79. MEASURE
@wickett

80. Maker Driven
@wickett

81. Weare software engineers
who specialize inaspecific
discipline: security
@wickett

82. Securitymustbeable to
write code
@wickett

83. Whyisthis considered
ahottake in our industry?
@wickett

84. Withallthe
resourcesavailable
today...
@wickett

86. Securityis partof
the making
@wickett

87. Securityalreadyuses DSLs
@wickett

88. @wickett

89. The Entire Security
Team Must
Participate in
Software Delivery
@wickett

90. Empathybuilding
Familiaritywithtools
Ableto move upthe pipeline
@wickett

91. Abug isabug isabug
@wickett

92. DefectDensity
studies range
from .5to 10 defects
per KLOC
@wickett

93. Defectdensity
is never zero
@wickett

94. With framework/
deps, 500 LOCyou
write can easilybe
400,000 LOC

95. Hot take:
You cannottrain
developers
towrite secure code
@wickett

96. Instead, focus on Methods
Developers use
» TDD/BDD/ATDD
» Meaningful comments/commits
» Code Smells, Patterns, Refactoring
» Instrumentation, Observability
@wickett

97. “The goalshould beto
come upwithasetof
automatedtests that
probeand check
security
configurations and
runtime system
behavior for
securityfeatures
thatwillexecute
everytimethe system
is builtand every
time itis deployed.”

98. Securityis
connectedwith
quality
@wickett

101. Maker Driven means
» See security as part of engineering
» View quality as a way to bring security in
» Use code, not vendors to solve problems
@wickett

102. MEASURE
@wickett

103. Experimenting (and
Learning)
@wickett

104. Benefitsto Experimentation
» Measured, Repeatable
» Results based on your needs
» Actionable Outcomes
@wickett

105. “Securityincidents
are not effective
measures ofdetection
becauseatthatpoint
it'salreadytoo late”
Aaron Rinehart
@wickett

107. KnowMostLikelyAttacks
and Howto MeasureAbuse
and Misuse
@wickett

108. “We can'tcede home
fieldadvantage”
Zane Lackey
@wickett

109. Experimenting necessitates
understanding steadystate
@wickett

110. Resources
» Shannon Lietz (@devsecops)
» DOES 2018 Talk: youtu.be/yuOuVC8xljw
@wickett

111. MEASURE
@wickett

112. Automation
@wickett

115. “Continuous
Deliveryis how
littleyou can
deployatonetime”
Jez Humble & David Farley
@wickett

116. Optimizetotalcycle
time from code
committo running in
prod
@wickett

117. 15,000deploys in 3.5 years
@wickett

118. Securityinthe Pipeline
» Software composition analysis
» Lang linters, git-hound, ...
» Scanners, gauntlt
» Monitoring and telemetry
@wickett

119. “[Deploys] can be
treatedas
standard or
routine changes
thathave been
pre-approved by
management,and
thatdon’trequire
a heavyweight
change review
meeting.”

120. Resources:
@wickett

121. linkedin.com/learning/devsecops-building-a-secure-
continuous-delivery-pipeline
@wickett

122. linkedin.com/learning/devsecops-automated-security-
testing
@wickett

123. MEASURE
@wickett

124. SafetyAware
@wickett

125. Simplevs. Complex Systems
@wickett

126. Simple Systems:
Linear in nature
Easyto Predict
Ableto comprehend
@wickett

127. Complex Systems:
Non-linear (bullwhipeffect)
Unpredictable in nature
No mentalmodelavailable
@wickett

128. Weabstractcomplexity
» Human beings
» Societial issues
» Psychological issues
» Cognitive load
@wickett

129. Software deals with complexitythrough
abstraction
@wickett

130. RootCause (inacomplex system)
isaMyth
» Lacks full picture
» Complex systems are not linear
» Result of blame culture
» Forgets organizational decisions
» Puts the focus on the event over situation
@wickett

131. “Drifting into failure is
a gradual, incremental
decline into disaster
driven by
environmental
pressure, unruly
technologyand social
proccessesthat
normalize growing
risk. No organization is
exempt from drifting
into failure”
@wickett

132. Boeing 737Max
» Maneuvering Characteristics Augmentation System
(MCAS)
» MCAS commands the trim without notifying the
pilots
» This is software
@wickett

133. Softwarewas
fightingthe pilots
silently
@wickett

134. High-speed decision
making inan up-
tempo environment
@wickett

135. Software is eating theworld
@wickett

136. “The growth of
complexityin
societyhas got
ahead ofour
understaindin
g of how
complex
systemswork
and fail”

137. @wickett

138. @wickett

139. Operationsand
Security's burdento
rationalize system
models
@wickett

140. “Failures are a
systems problem
because there is not
enough safety
margin. ”
@adrianco
@wickett

141. “Failure isan
inevitable by-
productofa
complex
system's
normal
functioning”

142. Where SecurityFits
» Add safety margin
» Telemetry and instrumentation
» Blameless retros
» ...more to explore in this area
@wickett

143. Resources
» Drift into Failure by Dekker
» Understanding Human Error Video Series youtu.be/
Fw3SwEXc3PU
» @jpaulreed coverage of Boeing medium.com/
@jpaulreed
» Richard Cook paper bit.ly/2ydDQS2
@wickett

144. MEASURE
@wickett

145. Unrestrained
Sharing
@wickett

146. “Culture isthe most
importantaspectto
devops succeeding
inthe enterprise”
Patrick DeBois
@wickett

147. DevSecOps isthe
extension ofthe
DevOps culture for
the inclusion of
Security
@wickett

148. “Asecurityteamwho
embraces openness
aboutwhatitdoes
and why, spreads
understanding.”
Rich Smith
@wickett

149. Unrestrained Sharing
affects culture
@wickett

150. Unrestrained
Sharing goes
againstsecurity's
standard operating
procedure
@wickett

151. Itwillfeel
uncomfortable
@wickett

152. Sharing breaks
down silos
@wickett

153. Four Keysto Culture
» Mutual Understanding
» Shared Language
» Shared Views
» Collaborative Tooling
@wickett

154. 20% ofdevelopers
don'tknowwhat
securityexpects of
them
@wickett

155. SecuritySharesThrough
» Making invisible as visible
» Security Observability
» APIs, webhooks, dev tooling
@wickett

156. This includes the
auditors
@wickett

158. Resources
» Phoenix Project
» Agile Application Security
» dearauditor.org
@wickett

159. MEASURE
@wickett

160. Ruggedization
@wickett

161. @wickett

162. Software BillofMaterials
Knowwhatyou have
@wickett

163. Favor ShortLived Systems
Cattle notPets
@wickett

164. DIE Framework
Distributed
Immutable
Ephemeral
source: @sounilyu
@wickett

165. Ruggedization in 2020
1. Deception
2. Chaos Engineering
@wickett

166. Deception
» Honeypots, Tarpits, Mantraps
» Simple to get started (http headers)
» HoneyPy, DeceptionLogic
@wickett

167. “We’re moving from
disaster recovery
to chaos engineering
to resiliency”
@adrianco
@wickett

168. “[Chaos Engineering is]
empiricalratherthan formal.
We don’tuse modelsto
understandwhatthe system
should do.We run experiments
to learnwhat itdoes.”
Michael Nygard, Release It 2nd Ed.
@wickett

169. “The security discipline of
[chaos] experimentation is
done in orderto build
confidence inthe system’s
abilityto defend against
malicious conditions.”
Aaron Rinehart
@wickett

170. Chaos Engineering
» Experiments that span eng and security
» Manual opt-out
» Valuable Learning
» Controlled experiment blast radius
@wickett

171. Resources
» Aaron Rinehart's talk at RSA youtu.be/wLlME4Ve1go
» principlesofchaos.org
» Release It! 2nd ed., Nygard
» Phillip Maddux's talk: youtu.be/k81xKjCEeqE
» Herb Todd's talk: youtu.be/Cf_XXmRLnRQ
@wickett

172. MEASURE
@wickett

173. Empathy
@wickett

175. “those stupid
developers”
Security
@wickett

176. “youwantamachine
powered offand
unplugged”
Developer
@wickett

177. Halfofdevelopers
saythatdon'thave
enoughtimeto spend
on security

178. Don’tbeablocker
be an enabler
@wickett

179. Maker Driven
Experimenting
Automating
SafetyAware
Unrestrained Sharing
Ruggedizing
Empathy
@wickett

180. Share your story
book@devsecops.org
@wickett

181. Get the slides
wickett@verica.io
Questions
@wickett
@wickett