is there room for secarch in devsecops?...“Πόλεμος πατήρ πάντων” (war/struggle...
TRANSCRIPT
![Page 1: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/1.jpg)
IsthereroomforSecArchinDevSecOps?(orcanolddogsperformnewtricks?)
DimitriosPetropoulos
26April2018
![Page 2: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/2.jpg)
$cut-f5-d:/etc/passwd|grep-ipetropoulos
• DimitriosPetropoulos
• Cryptographerbyeducation(nobody’sperfect)• SecurityArchitect(&pastsecuritydeveloper)bytrade• Havebeenbreaking&mendingthingsforoverathirdofacentury
![Page 3: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/3.jpg)
this.Presentation
• …containsquestions–notanswers…• Majorityofpointsinthispresentationare
• Personalconclusionsafterhavingworkedwithnumerousorganisationsandtriedtoextractcommonpatternsofbehaviourandtrends
• conjectures(inthemathematicalsenseoftheword,i.e.unprovenpropositionswhichappearcorrect)
• Basedonrelativelyrecentmindset
• Mightbecontroversial…• Don’texpectyoutoagreewithme
<Rant>
![Page 4: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/4.jpg)
Constantchange&unityofopposites
“Ταπάνταρεί”*(everythingflows)
“Πόλεμοςπατήρπάντων”(war/struggleisthefatherofall)
Heraclitus(c.535–c.475BC)
*-andFrancescoGabbaniinOccidentali’sKarma
![Page 5: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/5.jpg)
Thebravenewworld
Theopportunity:
• Cloud• *aaS• Automation
• AI• BigData• …
Therequirements(&benefits):
• Agility(↑)
• Speed(↑)
• Scalability(↑)
• Cost(↓)
![Page 6: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/6.jpg)
Thechallengeis:‘security’
Source:https://www.sumologic.com
![Page 7: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/7.jpg)
ThebirthofDevSecOps
• Intimeswherespeedandagilityarethenameofthegame,security:• cannotslowdownbusiness…• …butcannotbeoverlooked
• Theanswer(allegedly)comesfromautomation
![Page 8: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/8.jpg)
Itallstartedhere…
Whatdoesthis‘Sec’mean?
![Page 9: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/9.jpg)
The‘Sec’in‘DevSecOps’
• ApplicationSecurityTesting• SAST• DAST• IAST
• Infrastructure/PlatformVulnerabilityScanning• Platformconfiguration&compliance• Deploymentofcontrols
• Firewalling,micro-segmentation• WAFs,DBSGs,etc.• RASP
• Identity&AccessManagement• …
Automated&programmaticallyprovisioned
![Page 10: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/10.jpg)
Wheredoes‘SecArch’fitinallthis?
![Page 11: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/11.jpg)
IsSecArchsuperfluous?
• Wedidn’tgetsoftware‘right’intheeraofrigider(stricter?)SDLCparadigms–dowestandabetterchanceintheseagiletimes?• CanDevOpsmakeadifference?• CanDevSecOpsmakeadifference?
• Theyareastepintherightdirection• Facilitating(i.e.automating)unwanted(i.e.security)taskscanonlyhelp
• ButtheycannotreplaceSecArch
![Page 12: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/12.jpg)
WebAppSecArch(example)
![Page 13: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/13.jpg)
InfraSecArchevolution(example)[1]
Internet
InternetF/W
InternalF/W
TrustZoneA-VirtualisedServer
vSwitch
VM VM VM
vSwitch
VM VM VM
vSwitch
VM VM VM
vSwitch
VM VM VM
TrustZoneB-VirtualisedServer
TrustZoneC-VirtualisedServer TrustZoneD-VirtualisedServer
HypervisorHypervisor
Hypervisor Hypervisor
![Page 14: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/14.jpg)
InfraSecArchevolution(example)[2]
![Page 15: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/15.jpg)
‘*asCode’
• InfrastructureasCode• SecurityasCode• …
• Canwedetermine(letaloneachieve)theobjectiveswithoutsoundSecArch?• Manifestosalone(ruggedastheymaybe)arenotenough…• Godhelpus…
• SecDevOps’reachisnotbroadordeepenough…• It’snotearlyenoughinthelifecycle…
![Page 16: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/16.jpg)
ArchitectureStrategy&Governance
CyberDefence
Operations
Verification
Construction
Policy&
Standards
Compliance&
Metrics
Architecturecomesfirst…
Dev
OpsSec
![Page 17: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/17.jpg)
Don’tsayIdidn’twarnyou…
• XY+XZ=• SecDev+SecOps=
X(Y+Z)Sec(Dev+Ops)
Nowthatσ(Dev,Sec,Ops)hasfreedusfromthechainsofthemundane,canwefocusandspendmoretimeonsomethingthatreallymatters?
![Page 18: Is there room for SecArch in DevSecOps?...“Πόλεμος πατήρ πάντων” (war/struggle is the father of all) Heraclitus (c.535 – c.475 BC) * - and Francesco Gabbani](https://reader033.vdocuments.site/reader033/viewer/2022050107/5f4574f82d104853b6341be8/html5/thumbnails/18.jpg)
</Rant>
Thankyouforyourattention!
Timeforquestions…
https://www.linkedin.com/in/dpetropoulos/