MEASUREAwaytothinkaboutDevSecOps
•
1 gostou•393 visualizações
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again? In an attempt to answer this question, we will look back in history to learn how engineering decisions affect the lives of those around us, with an eye on how to make meaningful progress today. Along the way, we will highlight the high-performing DevSecOps teams of today and introduce MEASURE, a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together. ---- thanks to Verica https://verica.io and techstrongcon.com
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (19)
Semelhante a MEASUREAwaytothinkaboutDevSecOps
Semelhante a MEASUREAwaytothinkaboutDevSecOps (20)
Mais de James Wickett
Mais de James Wickett (11)
Último
Último (20)
MEASUREAwaytothinkaboutDevSecOps
- 2. JamesWickett Head of Research @ Verica.io Author, DevOps on LinkedIn Learning Organizer, DevOps Days Austin, DevSecOps Days Austin @wickett
- 3. @wickett
- 13. @wickett
- 14. @wickett
- 16. @wickett
- 18. “The rumble ofthetwo trains, faintand far offat firstbut growing nearer and more distinctwith each fleeting second,was likethe gathering force ofa cyclone” @wickett
- 19. @wickett
- 20. @wickett
- 23. @wickett
- 24. @wickett
- 25. Aftermath: » 4 people died » Crush fired » Widespread injuries » Lawyers brought in for settlements @wickett
- 26. @wickett
- 27. @wickett
- 30. Learnings » Safety Margin exists in all Systems » Configuration errors and bullwhip effect » Experimentation can find vulnerabilities » Root cause is a myth @wickett
- 32. DevOps isan epistemological breakthroughthatjoins disparate peoplearoundacommon problem ina distrubuted computearchitecture @wickett
- 34. Securityfinds itselfinthe same positionthat operations did inthe movementofDevOps @wickett
- 37. “Companiesare spendingagreatdeal on security, butwe read ofmassive computer-related attacks. Clearly something iswrong. The rootofthe problem istwofold:we’re protectingthewrong things,andwe’re hurting productivity inthe process.”
- 38. “While engineeringteams are busy deploying leading-edgetechnologies, securityteamsare still focused on fighting yesterday’s battles.” SANS 2018 DevSecOps Survey @wickett
- 39. "manysecurity teamsworkwitha worldviewwhere their goalisto inhibit change as muchas possible"
- 40. A Highly Desireable New Breed: The DevSecOp @wickett
- 42. The DevSecOpan inclusive person participating in the movementofsecurityinto devops. @wickett
- 53. Securitysolves problems by writing code @wickett
- 54. Whyisthis considered ahottake in our industry? @wickett
- 57. @wickett
- 58. ASecurityTeamthatParticipates in Software Delivery » Empathy building » Familiarity with tools and teams » Able to shift left in the pipeline » Policy as Code approach @wickett
- 61. My500 LOC can easilybe 400,000 LOC IRL
- 62. Securityand Developer Collab » TDD/BDD/ATDD » Team Standards, reviews/config/comments/commits » Code Smells, Patterns, Refactoring » Instrumentation, Observability @wickett
- 63. “The goalshould beto come upwithasetof automatedtests that probeand check security configurations and runtime system behavior for securityfeatures thatwillexecute everytimethe system is builtand every time itis deployed.”
- 66. Maker Driven means » See security as part of engineering » Use code, not vendors to solve problems » View quality as a way to bring security in @wickett
- 67. MEASURE @wickett
- 69. @wickett
- 70. “Securityincidents are not effective measures ofdetection becauseatthatpoint it'salreadytoo late” Aaron Rinehart @wickett
- 72. “The securitydiscipline of experimentation is done in orderto build confidence inthe system’sabilityto defendagainstmalicious conditions.” @wickett
- 73. SecurityChaos Engineering (SCE) » Experiments that span eng and security » Manual opt-out » Valuable Learning » Controlled experiment blast radius @wickett
- 74. “[Chaos Engineering is] empiricalratherthan formal. We don’tuse modelsto understandwhatthe system should do.We run experiments to learnwhat itdoes.” Michael Nygard, Release It 2nd Ed. @wickett
- 75. SecurityProblems in Complex Systems » Configuration drift over time » Regressions in code » Role and privilege drift » Additive code or microservices » Security controls in wrong locations » Bullwhip effect @wickett
- 76. SCE does not » validate a config, it exercises it » check auth privileges, it attempts to thwart them » trust network settings, it sends real traffic » check app policy, it interacts with the application @wickett
- 77. 4 Steps ofSecurityChaos Engineering » Define expected behavior of a security defense » Hypothesize that when security turbulence is introduced it will be either prevented, remediated, or detected. » Introduce a variable that introduces security turbulence. » Try to disprove the hypothesis by looking for a difference in expected behavior and actual behavior @wickett
- 78. Benefitsto Experimentation » Measured, Repeatable » Results based on your needs » Actionable Outcomes » A proven method to uncover truths in complex systems @wickett
- 79. Resources » principlesofchaos.org » Release It! 2nd ed., Nygard » DevOps Ent Summit Talk youtu.be/yuOuVC8xljw » Chaos Engineering, Rosenthal and Jones verica.io/ book @wickett
- 80. MEASURE @wickett
- 84. “[Deploys] can be treatedas standard or routine changes thathave been pre-approved by management,and thatdon’trequire a heavyweight change review meeting.”
- 85. “Continuous Deliveryis how littleyou can deployatonetime” Jez Humble & David Farley @wickett
- 86. Securityinthe Pipeline » Software composition analysis » Lang linters, git-hound, ... » Scanners, gauntlt » Monitoring and telemetry @wickett
- 89. MEASURE @wickett
- 90. Safety @wickett
- 91. RootCause isaMyth in Complex Systems » Lacks full picture » Complex systems are not linear » Result of blame culture » Forgets organizational decisions » Puts the focus on the event over situation @wickett
- 92. Simple Systems: » Linear in nature » Easy to Predict » Able to comprehend @wickett
- 93. Complex Systems: » Non-linear (bullwhip effect) » Unpredictable in nature » No mental model available @wickett
- 95. @wickett
- 96. “Failures are a systems problem because there is not enough safety margin. ” @adrianco @wickett
- 97. Where SecurityFits » Know your safety margin » Stop root cause analysis, go blameless retros » Telemetry and instrumentation » ...more to explore in this area @wickett
- 98. Resources » Drift into Failure by Dekker » Understanding Human Error Video Series youtu.be/ Fw3SwEXc3PU » Richard Cook paper bit.ly/2ydDQS2 @wickett
- 99. MEASURE @wickett
- 101. “Asecurityteamwho embraces openness aboutwhatitdoes and why, spreads understanding.” Rich Smith @wickett
- 104. Four Keysto DevSecOps Culture » Mutual Understanding » Shared Language » Shared Views » Collaborative Tooling @wickett
- 105. Resources » Phoenix Project » Agile Application Security » dearauditor.org @wickett
- 106. MEASURE @wickett
- 107. Rugged @wickett
- 108. @wickett
- 110. Favor ShortLived Systems Cattle notPets @wickett
- 112. Rugged in 20211.Advanced Deception 2. ContinuousVerification @wickett
- 113. Deception » Honeypots, Tarpits, Mantraps » Simple to get started (http headers) » HoneyPy, DeceptionLogic @wickett
- 114. Resources » Aaron Rinehart's talk at RSA youtu.be/wLlME4Ve1go » Phillip Maddux's talk: youtu.be/k81xKjCEeqE » Herb Todd's talk: youtu.be/Cf_XXmRLnRQ @wickett
- 115. MEASURE @wickett
- 116. Empathy @wickett
- 117. Developers don't have enoughtimeto spend on security
- 121. “Culture isthe most importantaspectto devops succeeding inthe enterprise” Patrick DeBois @wickett
- 123. Complimentary copy of the Chaos Engineering book verica.io/book @wickett