Practical DevSecOps - Arief Karfianto
Seu SlideShare está sendo baixado.
×
!["[Security by risk assessment]
introduces a dangerous fallacy:
that structured inadequacy is
almost as good as adequacy an...](https://image.slidesharecdn.com/new-security-playbook-feb-2019-v3-190213215027/75/the-new-security-playbook-devsecops-13-2048.jpg?cb=1668492357)
Confira estes a seguir
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Semelhante a The New Security Playbook: DevSecOps (20)
Mais de James Wickett (20)
Mais recentes (20)
The New Security Playbook: DevSecOps
- 1. The New Security Playbook: DevSecOps
- 2. James Wickett Head of Research, Signal Sciences Author, LinkedIn Learning
- 3. Get the slides: james@signalsciences.com
- 4. Signal Sciences secures the most important web applications, APIs, and microservices of the world's leading companies. Our next-gen WAF and RASP help you increase security and maintain site reliability without sacrificing velocity, all at the lowest total cost of ownership.
- 5. bit.ly/devops-courses
- 6. What is this DevSecOps you speak of?
- 7. The original DevOps Deep Thoughts were created by the hilarious and awesome Josh Zimmerman (@TheJewberwocky) as Not Jack Handey which is parody of Deep Thoughts by Jack Handey. These DevSecOps Deep Thoughts are not nearly as funny nor deep, but hey what do you expect of a parody of a parody?
- 8. DevSecOps is the extension of the DevOps culture for the inclusion of Security
- 9. But why is DevSecOps or even DevOps important?
- 10. 3 Major Movements 1. Waterfall -> Agile -> DevOps 2. Monolith -> Microservices 3. Datacenter -> Cloud
- 11. But where does the security industry fit in all this?
- 12. DevSecOps
- 13. "[Security by risk assessment] introduces a dangerous fallacy: that structured inadequacy is almost as good as adequacy and that underfunded security efforts plus risk management are about as good as properly funded security work"
- 14. "Companies are spending a great deal on security, but we read of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting the wrong things, and we’re hurting productivity in the process."
- 15. Security is in Crisis
- 16. 10:1 Dev:Ops
- 17. 100:10:1 Dev:Ops:Sec
- 18. While engineering teams are busy deploying leading- edge technologies, security teams are still focused on defending existing applications and fighting yesterday’s battles. - SANS 2018 DevSecOps Survey
- 19. 48% of developers say security is important but don't have enough time to spend on it
- 20. Yet, 91% agree security is part of everyone's role
- 21. 73% of devops shops say breaches drive interest in DevSecOps
- 22. 1-in-3say breaches due to web app
- 23. 72% see security pros as "nag"
- 24. "many security teams work with a worldview where their goal is to inhibit change as much as possible"
- 25. Is DevSecOps InfoSec's last chance for survival?
- 26. Security needs a new playbook
- 27. The New Security Playbook • Empathy and Enablement • Be Fast and Non-Blocking • Don’t slow delivery • Security testing automated in every phase • Security provides value through making security normal
- 28. Security's Path to Influence 1. Identify Resource Misutilization 2. Add Telemetry and Feedback Loops 3. Automate and Monitor Across the Software Pipeline 4. Influence Organizational Culture
- 29. One place to start, is the most prolific security tool: The WAF
- 30. “The web application firewall market is ripe for disruption in 2018…As in previous years, little innovation has occurred during the last 12 months. Most WAF solutions still lack the more advanced analytics that Gartner analysts observe in other security markets.” - Gartner
- 31. “every aspect of managing WAFs is an ongoing process. This is the antithesis of set it and forget it technology. That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required to get and keep the WAF running productively.” - Whitepaper from an Undisclosed WAF vendor
- 32. Legacy WAF is a Black-box • Regex dark arts with no great way to determine accuracy • No developer or operations access • Minimal integrations into today’s DevOps toolchains
- 33. Legacy WAFs focus on the same threats as 15 years ago Real world top ten is very different e.g. Account Takeover, Forceful Browsing, Feature Abuse, Evasion Techniques, Subdomain Takeover, Misconfiguration
- 34. Legacy WAF architecture doesn't scale • Inline architecture which is often a chokepoint • Can’t support multiple CDNs • Expensive to deploy and maintain
- 35. Create feedback through visibility, defense, and the removal of fragile bottleneck.
- 36. But, this can't just be the only place for feedback
- 37. Where does compliance fit?
- 38. Resources • Agile Application Security book • Continuous Delivery book by Jez Humble • The DevOps Handbook • DevSecOps: Building a Secure Continuous Delivery Pipeline Linkedin Learning Course
- 39. Free resource on DevSecOps
- 40. Get the slides: james@signalsciences.com
