establishing*a devsecops* program* -...
TRANSCRIPT
![Page 1: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/1.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Establishing a DevSecOps Program
Shannon Lietz
DevSecOps Leader & Sr. Mgr Cloud Security Engineering at Intuit
![Page 2: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/2.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Who I am
• 25+ years Technology and Security Experience
• Background in Security R&D • Working with the Cloud before it was called the “Cloud”
• Manage my teams using DevOps and Scrum
• IR & Crisis Management
-- FOUNDER --
![Page 3: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/3.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
How was DevSecOps discovered?
Securing at the rate of Innova'on…
• Pain • Trial & Error • Blood, sweat & tears • Ouch, my head hurts!
It would have been great to hear this talk a couple years ago….
Bang Head Here
![Page 4: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/4.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Case for Change • DevOps, Agile and Scrum on the rise… • Workload migra'ons to soYware defined environments…. • Enterprises increasingly turning to Public and Private Cloud
Providers… • Talent migra'ng to progressive companies willing to
embrace change… • Start-‐ups now have game changing capabili'es available
for rent… Public Cloud • Compe''ve landscape has been changing…
![Page 5: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/5.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
What is DevSecOps? Problem Statement • DevOps requires con'nuous Deployments • Fast decision making is cri'cal to DevOps success • Tradi'onal Security just doesn’t scale or move fast enough…
Welcome DevSecOps!! • Customer focused Mindset • Scale, Scale, Scale • Objec've Criteria • Proac've Hun'ng • Con'nuous Detec'on & Response
![Page 6: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/6.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Emerging Security Trends • Shortage of Security Professionals • Big companies are a`emp'ng to scale security to move faster: Facebook, Neclix, LinkedIn, AWS, Intuit
• Industry Leaders talking about the integra'on of DevOps & Security: Joe Sullivan, Jason Chan, Gene Kim, Josh Corman
• Introduc'on of DevSecOps at MIRCon in 2014 • SecDevOps at RSA 2015 was full day of dedicated content • LinkedIn People Search: 8 DevSecOps, 7 SecDevOps, 7 DevOpsSec, 29k+ Cloud Security
![Page 7: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/7.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
The Art of DevSecOps
DevSecOps
Security Engineering
Experiment, Automate,
Test
Security Opera'ons
Hunt, Detect, Contain
Compliance Opera'ons
Respond, Manage, Train
Security Science
Learn, Measure, Forecast
![Page 8: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/8.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Geing Started
Some basic principles: • You don’t need to do all of DevSecOps at once. • Small security teams can have a profound impact. • Organize around self-‐service. • Figure out how to communicate security for the layperson.
![Page 9: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/9.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Path to DevSecOps
Security as Code?
Experiment: Automate Policy
Governance
Security Opera'ons?
Experiment: Detec'on via
Security Opera'ons
Experiment: Compliance via DevSecOps toolkit
Experiment: Science via Profiling
DevOps + Security
DevOps + DevSecOps
Compliance Opera'ons? Science?
Start Here?
![Page 10: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/10.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
The DevSecOps Mindset
• Customer Focus • Open & Transparent • Itera'on over Perfec'on • Hun'ng over Reac'on
• Hmmm -‐ wait a minute, this sounds like a manifesto -‐> insert shameless plug here: h`p://www.devsecops.org
![Page 11: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/11.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
What’s the Work of a DevSecOps Team?
Imagine that you will need to support all facets of security inline with development teams and at speed… • Do you have enough security experts to embed resources in DevOps teams?
• Have you got amazing talent that would rather hunt for Security defects than create value?
• Are you ready to invest in Self-‐Service for Security? • Are you working with a Cloud environment and can your team code?
![Page 12: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/12.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Ready to make these decisions? On-‐Prem ParHal On-‐Prem Outsource w/ No
Indemnif. Outsource w/ Part.Indemnif.
Outsource w/ Full Indemnif.
Who is responsible?
INTERN
AL
You You You You + Partner Partner
PART
NER
S
Which minimal controls are needed?
Physical Security; Secure Handling &
Disposal
File or Object Encryp'on for Sensi've Data; Physical Security; Secure Handling &
Disposal
File or Object Encryp'on for Sensi've Data; Partner Security; SOC A`esta'on
File or Object Encryp'on for Sensi've Data; Partner Security; SOC A`esta'on
Partner Security Controls; SOC A`esta'on
Where does data transit and get stored?
company “owned” data center or co-‐
loca'on
any compute & transit; data stored
on-‐prem
public cloud; free services
SaaS; public cloud; free services; private cloud
managed services; SaaS; private cloud
What are the innova'on benefits?
reduced latency; search sensi've
data
speed; reduced fric'on; search sensi've data
speed; reduced fric'on; evolving
pa`erns; community
speed; reduced fric'on; evolving
pa`erns; community
speed; reduced fric'on;
indemnifica'on
What are the poten'al risks?
SQL Injec'on; Internal Threats;
Mistakes; Phishing; Increased Fric'on;
Slow
Latency; SQL Injec'on; Internal Threats; Mistakes; Phishing; Increased
Fric'on; Slow
Inability to Search Sensi've Data; SQL Injec'on; Internal Threats; Mistakes; Phishing; Govt.
Requests Unknown; Reduced Financial responsibility
Inability to Search Sensi've Data; SQL Injec'on; Internal Threats; Mistakes; Phishing; Govt.
Requests Unknown
Inability to Search Sensi've Data; SQL Injec'on; Internal Threats; Mistakes; Phishing; Govt.
Requests Unknown
![Page 13: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/13.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Or set up “policies” that look like this… { "Version": "2015-‐05-‐09", "Statement": { "Effect": "Allow", "Ac'on": [ "iam:ChangePassword", "iam:GetAccountPasswordPolicy" ], "Resource": "*" } }
![Page 14: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/14.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
And how do you hunt for security issues in soYware defined environments?
![Page 15: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/15.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Can you communicate security complexity using simple processes?
1 Discover 2 Evaluate 3 Control 4 Communicate
![Page 16: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/16.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
More importantly, how do you translate?
begin (iam.client.list_role_policies(:role_name => role)[:policy_names]\ -‐ roledb.list_policies(role)).each do |policy| log.warn("Dele'ng Policy \"#{policy}\", which is not part of the approved baseline.") if policydiff("{}", URI.decode(iam.client.get_role_policy(\ :role_name => role, :policy_name => policy )[:policy_document]), {:argv => ARGV, :diff => op'ons.diff}) end op'ons.dryrun ? nil : \ iam.client.delete_role_policy( :role_name => role, :policy_name => policy ) end
Account Grade:
B Heal Account?
![Page 17: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/17.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Consider the DevSecOps Approach: Incident Drive Development (IDD)
• Share your Security Tools within everyone in your organiza'on
• Everything is an incident, how you deal with it is a ma`er of priority and severity
• Running campaigns & internal bounty programs, consider giving out t-‐shirts
• Use your security experts as scien'sts • Keep Inves'ga'ons separate
![Page 18: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/18.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Your environment should look something like this…
insights
security science security
tools & data
AWS accounts
S3
Glacier
EC2
CloudTrail
inges'on
threat intel
![Page 19: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/19.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
And your team will need to operate like this…
Central Account (Trusted)
Admin
IAM IAM IAM IAM IAM IAM
BU Accounts (TrusHng)
SecRole SecRole SecRole SecRole SecRole SecRole
IAM
How did we decide which roles would be deployed? • Human
• IAM Admin • Incident Response • Read Only
• Services • IAM Grantor • Instance Roles required to support security
services • Read Only
![Page 20: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/20.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
It’s not easy but it can make a difference…
• Security stops being the reason nothing gets done.
• Everyone in your organiza'on is responsible for security.
• Security can be a differen'ator in most organiza'ons and leads to its own innova'on discovery
![Page 21: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/21.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Vendors embracing DevSecOps
• AWS • TAP by Mandiant • SumoLogic • Splunk • OpenDNS
• Evident.io • AlertLogic • Tanium • Outlier Security • Con'nuum Security
![Page 22: Establishing*a DevSecOps* Program* - Secure360secure360.org/wp-content/uploads/2015/05/Establishing...Celebrang**adecade* of*guiding*security* professionals.* @Secure360*or*#Sec360*](https://reader033.vdocuments.site/reader033/viewer/2022060409/5f1023d57e708231d447a505/html5/thumbnails/22.jpg)
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Resources
• h`p://www.devsecops.org • @devsecops • LinkedIn Group: DevSecOps • Github: DevSecOps