DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This talk will highlight security’s place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
13. Dev and Ops and Security do
not share a worldview
verica.io // @wickett && @aaronrinehart
14. Disclaimer: we use DevOps and
DevSecOps interchangeably
verica.io // @wickett && @aaronrinehart
15. Security has known
about the worldview
disconnect for some time
verica.io // @wickett && @aaronrinehart
16.
17. "many security teams
work with a worldview
where their goal is to
inhibit change as much as
possible"
verica.io // @wickett && @aaronrinehart
18. [Security by risk
assessment] introduces a
dangerous fallacy: that
structured inadequacy is
almost as good as
adequacy and that
underfunded security
efforts plus risk
management are about as
good as properly funded
security work
verica.io // @wickett && @aaronrinehart
19. Companies are spending a
great deal on security, but
we read of massive
computer-related attacks.
Clearly something is
wrong. The root of the
problem is twofold: we’re
protecting the wrong
things, and we’re hurting
productivity in the process.
verica.io // @wickett && @aaronrinehart
20. While engineering teams are busy
deploying leading-edge
technologies, security teams are
still focused on fighting yesterday’s
battles.
— SANS 2018 DevSecOps Survey
verica.io // @wickett && @aaronrinehart
21. A Highly Desireable New Breed:
The DevSecOp
verica.io // @wickett && @aaronrinehart
22. ...not a tool
...not a CI/CD pipeline
...can’t be bought
verica.io // @wickett && @aaronrinehart
24. DevOps is the inevitable result of
needing to do efficient operations
in a distributed computing and
cloud environment.
— Tom Limoncelli
verica.io // @wickett && @aaronrinehart
25. DevSecOps is the inevitable
result of needing to do
efficient IT in a new world
verica.io // @wickett && @aaronrinehart
26. DevSecOps was needed to fix
the inequitable distribution of
labor
verica.io // @wickett && @aaronrinehart
34. Examples of Complex Systems
• Global Financial Markets
• Nation-State PoliicS
• Weather Patterns
• The Human Body
• Bird Patterns
• Distributed Computing Systems (aka your systems)
verica.io // @wickett && @aaronrinehart
35. Fact: Outages & Breaches will
continue to get worse
verica.io // @wickett && @aaronrinehart
46. Security should participate in the
so!ware delivery practice and use the
language of their peers as they
ship so!ware together
verica.io // @wickett && @aaronrinehart
47. With all the resources
available today...
verica.io // @wickett && @aaronrinehart
48.
49. Security is part of the
making
verica.io // @wickett && @aaronrinehart
50. Why? Shi!ing Focus on what
ma"ers most.
verica.io // @wickett && @aaronrinehart
51. Value Chain
As a security professional can you
explain where you fit in your
company’s value chain?
verica.io // @wickett && @aaronrinehart
52. Does the company exist to deliver
product and services or employee
desktops?
verica.io // @wickett && @aaronrinehart
53. Everyone is responsible for the
engineering not just the security.
verica.io // @wickett && @aaronrinehart
54. Outcomes:
— Empathy building
— Familiarity with tools
— Able to move up the pipeline
verica.io // @wickett && @aaronrinehart
55. A bug is a bug is a bug
verica.io // @wickett && @aaronrinehart
56. Defect Density studies range
from .5 to 10 defects per KLOC
verica.io // @wickett && @aaronrinehart
61. The goal should be to
come up with a set of
automated tests that
probe and check security
configurations and
runtime system behavior
for security features that
will execute every time
the system is built and
every time it is deployed.
verica.io // @wickett && @aaronrinehart
65. Makers— See security as part of engineering
— View quality as a way to bring in security
— Use code to solve problems
verica.io // @wickett && @aaronrinehart
68. Benefits to Experimentation
— Measured, Repeatable
— Results based on your needs
— Actionable Outcomes
verica.io // @wickett && @aaronrinehart
69. Security incidents are not effective
measures of detection because at
that point it's already too late
— Aaron Rinehart
verica.io // @wickett && @aaronrinehart
70. Know Most Likely A!acks and How
to Measure Abuse and Misuse
verica.io // @wickett && @aaronrinehart
71. We can't cede home field
advantage
— Zane Lackey
verica.io // @wickett && @aaronrinehart
81. Security in the Pipeline
— Software composition analysis
— Lang linters, git-hound, ...
— Scanners, gauntlt
— Monitoring and telemetry
verica.io // @wickett && @aaronrinehart
82. [Deploys] can be
treated as standard
or routine changes
that have been pre-
approved by
management, and
that don’t require a
heavyweight change
review meeting.
89. Fact: No system is secure on
its own, it requires humans to
create it
verica.io // @wickett && @aaronrinehart
90. Safety Differently Origins
"Safety differently' is about relying
on people’s expertise, insights and
the dignity of work as actually done
to improve safety and efficiency. It is
about halting or pushing back on
the ever-expanding
bureaucratization and compliance
of work."
— Sydney Dekker
verica.io // @wickett && @aaronrinehart
91. "Security differently’ is about relying
on people’s expertise, insights and the
dignity of work as actually done to
improve security and efficiency. It is
about halting or pushing back on the
ever-expanding bureaucratization and
compliance of work."
verica.io // @wickett && @aaronrinehart
92. Security Currently vs. Security Differently
Security Currently Security Differently
People are the Source of
Problems
People are the Solution
Tell them what to do Ask them what they need
(Control & Compliance) Competency & Common Sense
Count absence of Negative
events
Count Presence of Positives
verica.io // @wickett && @aaronrinehart
93. Outcomes are the ultimate
measurement of effectiveness
verica.io // @wickett && @aaronrinehart
107. Root Cause (in a complex system) is a Myth
— Lacks full picture
— Complex systems are not linear
— Result of blame culture
— Forgets organizational decisions
— Puts the focus on the event over situation
verica.io // @wickett && @aaronrinehart
108. Humans aren’t the problem,
they are the solution
verica.io // @wickett && @aaronrinehart
109. Field Guide to 'Human-Error'
Investigations by Sydney Dekker
verica.io // @wickett && @aaronrinehart
110. Old View
— Human Error is a cause of trouble
— You need to find people’s mistakes, bad judgements
and inaccurate assessments
— Complex Systems are basically safe
— Unreliable, erratic humans undermine systems safety
— Make systems safer by restricting the human
condition
verica.io // @wickett && @aaronrinehart
111. New View
— Human error is a symptom of deeper system trouble
— Instead, understand how their assessment and actions
made sense at the time - context matters
— Complex systems are basically unsafe
— Complex systems are tradeoffs between competing
goals safety vs. efficiency
— People must create safety through practice at all
levels
verica.io // @wickett && @aaronrinehart
114. Failures are a systems problem
because there is not enough safety
margin.
— @adrianco
verica.io // @wickett && @aaronrinehart
115. Where Security Fits
— Add safety margin
— Telemetry and instrumentation
— Blameless retros
— ...more to explore in this area
verica.io // @wickett && @aaronrinehart
116. Resources
— Drift into Failure by Dekker
— Safety Differently by Dekker
— Understanding Human Error Video Series youtu.be/
Fw3SwEXc3PU
— Richard Cook paper bit.ly/2ydDQS2
verica.io // @wickett && @aaronrinehart
146. Our systems almost never fail
the way we think it will
verica.io // @wickett && @aaronrinehart
147. Resilience is the ability of systems
to prevent or adapt to changing
conditions in order to maintain
control over a system property…to
ensure safety… and to avoid failure.
— Hollnagel, Woods, & Leveson
verica.io // @wickett && @aaronrinehart
149. Where is the Safety Margin in
Security?
verica.io // @wickett && @aaronrinehart
150. How do you know when your
ge!ing close to falling off the
edge?
Do we have to fall off of the
edge to know where it is?
verica.io // @wickett && @aaronrinehart
151. [Chaos Engineering is] empirical
rather than formal. We don’t use
models to understand what the
system should do. We run
experiments to learn what it does.
— Michael Nygard, Release It 2nd Ed.
verica.io // @wickett && @aaronrinehart
157. The security discipline of [chaos]
experimentation is done in order
to build confidence in the system’s
ability to defend against malicious
conditions.
verica.io // @wickett && @aaronrinehart
158. Chaos Engineering
— Experiments that span eng and security
— Manual opt-out
— Valuable Learning
— Controlled experiment blast radius
verica.io // @wickett && @aaronrinehart
159. Security Problems that Plague Complex Systems
— Configuration drift over time
— Regressions in code where previously solved vulnerabilities are
reintroduced
— Role and privilege changes for users and applications
— Additive code or microservice that introduces a downstream
vulnerability
— Security controls not placed in correct locations in the system
— Bullwhip effect in systems where small security change results
in widespread outage
verica.io // @wickett && @aaronrinehart
160. Outside-In Approach to SCE
— SCE does not validate a config, it exercises it
— SCE does not check auth privileges, it attempts to
thwart them
— SCE does not trust network settings, it sends real traffic
— SCE does not check app policy, it interacts with the
application
— SCE does not build a model from infrastructure
templates, it builds understanding from experimentation
verica.io // @wickett && @aaronrinehart
161. 4 Steps of Security Chaos Engineering
— Define expected behavior of a security defense
— Hypothesize that when security turbulence is
introduced it will be either prevented, remediated, or
detected.
— Introduce a variable that introduces security
turbulence.
— Try to disprove the hypothesis by looking for a
difference in expected behavior and actual behavior
verica.io // @wickett && @aaronrinehart
177. Next Week:
* Dive into 1-2 of the MEASURE areas
* Find a place to add value
In a Month:
* Present on MEASURE to your company
* Bring Dev/Ops/Sec together to find a joint
improvement
In 6 months:
* Share externally your DevSecOps Journey
verica.io // @wickett && @aaronrinehart
178. Get the slides
and book update info
wicke!@verica.io
verica.io // @wickett && @aaronrinehart