DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
1.
2. JAMES WICKETT
Sr. Sec Eng & Dev Advocate @ Verica
Author, LinkedIn Learning
Organizer, DevOps Days Austin, Serverless Days ATX, DevSecOps Days
Austin
Author, DevSecOps Handbook (In progress)
@wickett
5. VERICA.IO
An enterprise platform for Continuous Verification,
using Chaos Engineering principles, to take a
proactive and measured approach to preventing
availability and security incidents.
@wickett
32. Security, like ops struggles to provide
value in most organizations
@wickett
33. Companies are spending a great
deal on security, but we read of
massive computer-related
attacks. Clearly something is
wrong. The root of the problem is
twofold: we’re protecting the
wrong things, and we’re hurting
productivity in the process.
@wickett
34. [Security by risk assessment]
introduces a dangerous fallacy:
that structured inadequacy is
almost as good as adequacy and
that underfunded security
efforts plus risk management are
about as good as properly funded
security work
@wickett
35. While engineering teams are busy deploying
leading-edge technologies, security teams
are still focused on fighting yesterday’s
battles.
SANS 2018 DevSecOps Survey
@wickett
68. INSTEAD, FOCUS ON METHODS DEVELOPERS USE
▸ TDD/BDD/ATDD
▸ Meaningful comments/commits
▸ Code Smells, Refactoring
▸ Instrumentation
@wickett
69. The goal should be to come up
with a set of automated tests
that probe and check security
configurations and runtime
system behavior for security
features that will execute
every time the system is built
and every time it is deployed.
73. MAKER DRIVEN means
▸ See security as part of engineering
▸ View quality as a way to bring security in
▸ Use code, not vendors to solve problems
@wickett
78. DETECT WHAT MATTERS
▸ Account takeover attempts
▸ Areas of the site under attack
▸ Most likely vectors of attack
▸ Business logic flows
▸ Abuse and Misuse
@wickett
79. We can't cede home
field advantage
— Zane Lackey
@wickett
91. SECURITY IN THE PIPELINE
▸ Software composition analysis
▸ Lang linters, git-hound, ...
▸ Scanners, gauntlt
▸ Monitoring and telemetry
@wickett
92. [Deploys] can be treated as
standard or routine
changes that have been
pre-approved by
management, and that
don’t require a heavyweight
change review meeting.
104. ROOT CAUSE IS A MYTH
▸ Lacks full picture
▸ Blame culture
▸ Forgets organizational decisions
▸ Puts the focus on the event over situation
▸ Complex systems are not linear
@wickett
105. Drifting into failure is a gradual,
incremental decline into
disaster driven by
environmental pressure, unruly
technology and social
proccesses that normalize
growing risk. No organization is
exempt from drifting into failure
106. BOEING 737MAX
▸ Maneuvering Characteristics Augmentation System (MCAS)
keeps the bigger plane from stalling
▸ In certain situations, MCAS commands the trim in this
condition without notifying the pilots
▸ The MCAS is automation software
@wickett
107. ▸ Events unfolded in minutes
▸ Software was fighting the pilots silently
▸ The "system" was mimicking every 737 they
had ever operated
@jpaulreed
115. Failures are a systems
problem because there is
not enough safety margin.
— @adrianco
116. Failure is an inevitable by-
product of a complex
system's normal
functioning
117. WHERE SECURITY FITS
▸ Add safety margin
▸ Telemetry and instrumentation
▸ Blameless retros
▸ ...more to explore in this area
@wickett
118. RESOURCES
▸ Drift into Failure by Dekker
▸ Understanding Human Error Video Series youtu.be/Fw3SwEXc3PU
▸ @jpaulreed coverage of Boeing medium.com/@jpaulreed
▸ Richard Cook paper bit.ly/2ydDQS2
@wickett
130. SECURITY SHARES THROUGH
▸ Making invisible as visible
▸ Security Observability
▸ APIs, webhooks, dev tooling
@wickett
131. Security Observability gives
applications the ability to
expose the attacks that are
happening below the
surface with feedback to
devs, ops, and security.
@wickett
132. A PAVED ROAD APPROACH
▸ Security as normal
▸ Security is "free"
▸ Jason Chan and Netflix
144. We’re moving from disaster
recovery to chaos
engineering to resiliency
— @adrianco
@wickett
145. [Chaos Engineering is] empirical rather
than formal. We don’t use models to
understand what the system should do.
We run experiments to learn what it does.
— Michael Nygard, Release It 2nd Ed.
@wickett
146. CHAOS ENGINEERING
▸ Experiments that span eng and security
▸ Manual opt-out
▸ Valuable Learning
▸ ChaosSlingr, CHAP, ChaosMonkey
@wickett