asd-f01-how-security-can-be-the-next-force-multiplier-in-devops

SESSION ID: Andrew Storms

How Security can be the Next Force Multiplier in DevOps

ASD-F01

VP , Security Services

New Context @St0rmz

Make security the reason for DevOps adoption

◆Software development challenges

◆DevOps doesn’t address secure coding challenges

◆Its our duty to affect change in DevOps

◆Security embedded in DevOps, makes DevOps better

◆Don’t fear DevOps – Know the people, processes and tools

◆Find your positive entry points

◆Making a plan

Plan Code Test Release Deploy Operate

PM Dev QA Release

Mgmt

Ops

Ops

Security

◆Non DevOps software development environment

◆Everything is separate

Process Step

Owner

Plan Code Test Release Deploy Operate

PM Dev QA Release

Mgmt

Ops

Ops

Security

Time To Market Changing Requirements

Tech Debt Control Costs

Risk Reduction

Reporting

Downward business pressures

Process Step

Owner

Plan Code Test Release Deploy Operate PM

Dev QA

Release Mgmt

Ops

Ops Security

Time To Market Changing Requirements

Tech Debt Control Costs Risk Reduction

Threat Mgmt

Risk Reduction

Reporting

Upward security pressures

Process Step Owner

Plan Code Test Release Deploy Operate PM

Dev QA

Release Mgmt

Ops

Ops Security

Governance

Policy

Audit Compliance

Time To Market Changing Requirements

Tech Debt Control Costs Risk Reduction

Threat Mgmt

Risk Reduction

Reporting

Program Management

Business & Product

Security & Compliance

Software Dev

Pressure

P r e s s u r e

◆External pressures

◆Disjointed

◆Costly

◆Siloed

◆Opaque

◆Complex

◆Always late, out of sync, fragile

Then along came the DevOps

Non DevOps

◆Disjointed

◆Costly

◆Opaque

◆Always late

DevOps

◆Conjoined

◆Lean

◆Transparent

◆Agile

9

Governance Compliance

Plan Code Test Release Deploy Operate DevOps

Ops Security

Policy Audit Time To Market Changing Requirements

Tech Debt Control Costs Risk Reduction

Threat Mgmt

Risk Reduction

Reporting

Agile

Green = DevOps

◆Meets business & product needs

◆On time within budget

◆Meets ops and dev needs

◆Agile, harmonious, consistent

◆Fails to meet security needs

◆No attempt to deliver secure application code

◆Security still left out and left last

How popular is DevOps?

◆Oct 2014 CA Technologies Survey

◆88% respondents already have or plan to adopt DevOps in the next 5

years. (up from 66% on prior year)

◆Top obstacle (28%) to DevOps in their organization were security or

compliance concerns

◆Oct 2014 Rackspace Survey

◆55% already implemented DevOps. 31% planning to implement

DevOps within 3 years.

◆Primary driver for DevOps? Only 2% said audit or compliance

https://www.wendangku.net/doc/9b10127525.html,/us/articles/devops/research-report--devops-the-worst-kept-secret-to-winning-in-the-application-economy.aspx

https://www.wendangku.net/doc/9b10127525.html,/sites/default/files/devops-automation-report.pdf

DevOps Kicks The Security Can Down The Road

Plan Code Test Release Deploy Operate

DevOps

Ops

Security

PM Dev QA

Release

Mgmt

Ops

Ops

Security

Old Way

DevOps Way

Security is

still the last

guy

DevOps Is Bad For Security

◆Fast

◆~50 deploys a day!

◆Faster to production = faster to be pwned

◆Too much complexity

◆Unwieldy

◆Everyone has access to everything

◆Full stack engineers

◆Fewer test cases

◆Deplorable

◆No audit

◆No control points

◆No process

DevOps Is Good For Security

◆Increases process insertion points

◆Increases consistency

◆Increases predictability

◆Decreases time to change ◆Increases audit ability

◆Reduces costs

◆Reduces waste

Simple Manageable Automatable Testable

Security Is Good For DevOps

◆Business enabler

◆Transparency

◆Trust

DevOps ◆Protects privacy

◆Accountability

◆Regulatory & audit Security

Let the people focus on their core competencies

Know Your Nemesis

Security Team

◆Compliance

◆Silos

◆Change control

◆FUD masters

DevOps Teams

◆Security != compliance

◆Open

◆Lots of change

◆Data scientists

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.

If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu

How do we get these teams to work together?

(Every DevOps presentation must have random gears image)

Action Plan

◆Pipeline

◆Tools

◆Processes

◆Today’s todos

Long term

Short term

Know your DevOps

Apply Security Expertise to DevOps Pipeline

Instrumentation

Log Analysis

Logging

F u n c t i o n a l T e s t s

S e c u r i t y T e s t s

O t h e r T e s t s

statsd

Jenkins App Code Inf Code Templates

Dev

Git Chef

Stage Prod

◆Git (Source Code Management)

◆Make it the source of truth for everything

◆Sometimes people use Chef for revision control

◆Separate repositories for each cookbook

◆Branching strategy needs to support isolation, rollback, logging

◆Git Hooks

◆Enforce policy at commit time

◆Commit message, additional logging