DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in history to learn how engineering decisions affect the lives of those around us, with an eye on how to make meaningful progress today.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce MEASURE, a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
----
thanks to Verica https://verica.io and techstrongcon.com
18. “The rumble ofthetwo
trains, faintand far offat
firstbut growing nearer
and more distinctwith
each fleeting second,was
likethe gathering force ofa
cyclone”
@wickett
30. Learnings
» Safety Margin exists in all Systems
» Configuration errors and bullwhip effect
» Experimentation can find vulnerabilities
» Root cause is a myth
@wickett
37. “Companiesare
spendingagreatdeal
on security, butwe
read ofmassive
computer-related
attacks. Clearly
something iswrong.
The rootofthe problem
istwofold:we’re
protectingthewrong
things,andwe’re
hurting productivity
inthe process.”
38. “While engineeringteams
are busy deploying
leading-edgetechnologies,
securityteamsare still
focused on fighting
yesterday’s battles.”
SANS 2018 DevSecOps Survey
@wickett
63. “The goalshould beto
come upwithasetof
automatedtests that
probeand check
security
configurations and
runtime system
behavior for
securityfeatures
thatwillexecute
everytimethe system
is builtand every
time itis deployed.”
64.
65.
66. Maker Driven means
» See security as part of engineering
» Use code, not vendors to solve problems
» View quality as a way to bring security in
@wickett
73. SecurityChaos Engineering (SCE)
» Experiments that span eng and security
» Manual opt-out
» Valuable Learning
» Controlled experiment blast radius
@wickett
74. “[Chaos Engineering is]
empiricalratherthan formal.
We don’tuse modelsto
understandwhatthe system
should do.We run experiments
to learnwhat itdoes.”
Michael Nygard, Release It 2nd Ed.
@wickett
75. SecurityProblems in Complex Systems
» Configuration drift over time
» Regressions in code
» Role and privilege drift
» Additive code or microservices
» Security controls in wrong locations
» Bullwhip effect
@wickett
76. SCE does not
» validate a config, it exercises it
» check auth privileges, it attempts to thwart them
» trust network settings, it sends real traffic
» check app policy, it interacts with the
application
@wickett
77. 4 Steps ofSecurityChaos
Engineering
» Define expected behavior of a security defense
» Hypothesize that when security turbulence is introduced
it will be either prevented, remediated, or detected.
» Introduce a variable that introduces security turbulence.
» Try to disprove the hypothesis by looking for a
difference in expected behavior and actual behavior
@wickett
78. Benefitsto Experimentation
» Measured, Repeatable
» Results based on your needs
» Actionable Outcomes
» A proven method to uncover truths in complex
systems
@wickett
79. Resources
» principlesofchaos.org
» Release It! 2nd ed., Nygard
» DevOps Ent Summit Talk youtu.be/yuOuVC8xljw
» Chaos Engineering, Rosenthal and Jones verica.io/
book
@wickett
84. “[Deploys] can be
treatedas
standard or
routine changes
thathave been
pre-approved by
management,and
thatdon’trequire
a heavyweight
change review
meeting.”
91. RootCause isaMyth in Complex
Systems
» Lacks full picture
» Complex systems are not linear
» Result of blame culture
» Forgets organizational decisions
» Puts the focus on the event over situation
@wickett
96. “Failures are a
systems problem
because there is not
enough safety
margin. ”
@adrianco
@wickett
97. Where SecurityFits
» Know your safety margin
» Stop root cause analysis, go blameless retros
» Telemetry and instrumentation
» ...more to explore in this area
@wickett
98. Resources
» Drift into Failure by Dekker
» Understanding Human Error Video Series youtu.be/
Fw3SwEXc3PU
» Richard Cook paper bit.ly/2ydDQS2
@wickett