security practitioner perspective on devops for building secure … · 2019-03-26 · • dev and...
TRANSCRIPT
![Page 1: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/1.jpg)
1Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
© 2016 Carnegie Mellon University
REV-03.18.2016.0[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Security Practitioner Perspective on DevOps for Building Secure Solutions
Zane LackeyHasan Yasar
![Page 2: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/2.jpg)
2Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Copyright 2016 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.
DM-0004111
![Page 3: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/3.jpg)
3Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
This talk will cover the perspectives of security practitioners on building secure software using the DevOps development process and modern security approach.
![Page 4: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/4.jpg)
4Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
© 2016 Carnegie Mellon University[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Building Secure Solutions
DevOps Foundations
![Page 5: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/5.jpg)
5Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
The DevOps Movement Began as a Reaction …
to years of disconnect between Development and Operations that began to manifest itself as conflict and inefficiency
![Page 6: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/6.jpg)
6Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
What is DevOps?
DevOps (a portmanteau of "development" and "operations”) emphasizes communication, collaboration, and integrationbetween software developers and information technology (IT) operations personnel. [1]
[1] http://en.wikipedia.org/wiki/DevOps
![Page 7: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/7.jpg)
7Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
![Page 8: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/8.jpg)
8Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Dev Ops QA Analysts
Silos Block Collaboration
![Page 9: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/9.jpg)
9Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Silos Reinforce Waterfall
Developers
QA Engineers
IT Operations
Teams have moved to Agile methodologies, but roles still align with waterfall methods
![Page 10: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/10.jpg)
10Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Jez Humble, https://youtu.be/L1w2_AY82WYDave West, http://sdtimes.com/analyst-watch-water-scrum-fall-is-the-reality-of-agile/
Business
Research
Budget
Document
Water
Development
Scrum
Integrate
Test
Release
QAOperations
Fall- -
![Page 11: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/11.jpg)
11Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
DevOps is an Extension of Agile Thinking
Embrace constant change
Embed Customer in team to internalize expertise on requirements and domain
Agile
Embrace constant testing, delivery
Embed Operations in team to internalize expertise on deployment and maintenance
DevOps
![Page 12: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/12.jpg)
12Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)Polling ?
Does your organization follow DevOps process and methodologies?
![Page 13: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/13.jpg)
13Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Every Transition of the System is a Risk
![Page 14: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/14.jpg)
14Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)Agile Means Constant Transition
![Page 15: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/15.jpg)
15Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Significant Collaboration Is Needed Where Paths Intersect
Create
Change
Deliver
Developers Operations
Maintain
Monitor
Manage Environment
![Page 16: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/16.jpg)
16Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
To address these pain points, DevOpspromotes Collaboration
Heavy collaboration between Dev and Ops on:• Design / Architecture decisions• Environment / Network configuration• Deployment planning• Code Review
Constantly available open communication channels:• Dev and Ops together in all project meetings• Chat/Email/Wiki services available to all team members• Dev / Ops report together as one project team
![Page 17: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/17.jpg)
17Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
An Engaged, Cross-Functional team is needed
Early involvement of experts
• Ops = experts in maintainability and deployability
Complete engagement
• Don’t bring Ops Engineers in as consultants – make them first-class team members with same success criteria as devs
Break down organizational silos
• Enable and require constant communication
![Page 18: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/18.jpg)
18Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
DevOps Aims to Increase…
…the pace of innovation
…responsiveness to business needs
…collaboration
…software quality
![Page 19: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/19.jpg)
19Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)Multiple Dimensions of DevOps Culture• Developer and Ops collaborate
(Ops includes security)• Developers and Operations
support releases beyond deployment
• Dev and Ops have access to stakeholders who understand business and mission goals
Culture
Process and Practices
System and Architecture
Automation and
MeasurementAutomation/Measurement• Automate repetitive and error-
prone tasks (e.g., build, testing, and deployment maintain consistent environments)
• Static analysis automation (architecture health)
• Performance dashboards
Process and Practices• Pipeline streamlining• Continuous-delivery practices
(e.g., continuous integration; test automation; script-driven, automated deployment; virtualized, self-service environments)
System and Architecture• Architected to support test
automation and continuous-integration goals
• Applications that support changes without release (e.g., late binding)
• Scalable, secure, reliable, etc.
![Page 20: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/20.jpg)
20Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Integration and communication, even among tools, is the key to integrate Security into Development Platform!
![Page 21: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/21.jpg)
21Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
![Page 22: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/22.jpg)
22Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
© 2016 Carnegie Mellon University[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Building Secure Solutions
DevOps Lesson Learned
![Page 23: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/23.jpg)
23Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)Polling ?
Do you have Security Ops Team as part of development activities?
![Page 24: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/24.jpg)
24Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
For security teams, the world has changedin three fundamental ways:
– Agility means code deployment is trending tonear-instantaneous
– Security is no longer the gatekeeper to deployment
– If security is a blocker, it will be routed around
![Page 25: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/25.jpg)
25Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Near-instantaneousdeployment?
![Page 26: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/26.jpg)
26Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
A simulation of deploying code in the waterfall model
![Page 27: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/27.jpg)
27Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
What is this shifting to?
![Page 28: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/28.jpg)
28Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
An agility example: Etsy pushes toproduction 50 times a day on average
![Page 29: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/29.jpg)
29Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Constant iteration in production via featureflags, ramp ups, A/B testing
![Page 30: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/30.jpg)
30Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
But doesn’t the rapid rate of
change mean things are less
secure?!
![Page 31: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/31.jpg)
31Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Actually, the opposite is true
![Page 32: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/32.jpg)
32Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
They key to realize is vulnerabilities occur inall development methodologies
![Page 33: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/33.jpg)
33Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
They key to realize is vulnerabilities occur inall development methodologies
…But there’s no such thing as an out-of-band patch in continuous deployment
![Page 34: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/34.jpg)
34Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Compared to:
“We’ll rush that security fix. It will go out …in about 6 weeks.”
- Former vendor at Etsy
![Page 35: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/35.jpg)
35Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)Polling ?
Do you believe that the DevOps process, mainly Continuous Delivery is a barrier for application security?
![Page 36: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/36.jpg)
36Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
What makes continuous deployment safe?
![Page 37: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/37.jpg)
37Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
What makes continuous deployment safe?
Visibility
![Page 38: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/38.jpg)
38Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
k yo tor es ing.
![Page 39: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/39.jpg)
39Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Source: http://www.slideshare.net/mikebrittain/advanced-topics-in-continuous-deployment
![Page 40: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/40.jpg)
40Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
The same hard lessons are slowly shifting to security
![Page 41: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/41.jpg)
41Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Ex: Which of these is a quicker way to spotan attack?
![Page 42: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/42.jpg)
42Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
se.css" "Mozi.lla/5.0(Maci.ntosh; Intel Mac OS X 10.7; rv:10.0)Gecko/20100101 Fi.refox/10.0" - - - - - - - - - - 16951- - - - [20/Feb/2012:22:32:10 +l'JII,..,..,] "GET /i.mages/spri.tes/buttons-master .png HTT P/1.1" 304 - "http:// ·assets/di.st/88166671/css/
.7; rv:10.0modules/buttons-new.css" "Mozi.lla/5.0 (Maci.ntosh; Intel Mac OS X 10 )Gecko/20100101Fi.refox/10.01
' - - - :
- 12156- - - -[20/Feb/2012:22:32:10 ]"GET /i.mages/spi.nners/spi.nner16.gi.fHTTP/1.1" 304- "http://! t/ossets/di.st/88166671/css/base.css" "Mozi.lla/5.0(Maci.ntosh; Intel Mac OS X 10.7; rv:10.0)Gecko/20100101 Fi.re fox/10.0" - - - ! - - - - - - - 18810- - - -[20/Feb/2012:22:32:10 ]"GET /assets/di.st/88166671/js/convos/threads.js HTTP/1.1" 20061743 "http:/1 I conversati.ons?re f=si._con" "Mozi.lla/5.0 (Maci.ntosh; Intel Mac OS X 10.7; rv:10.0)Gecko/20100101 Fi.refox/10.0" - - - - - - - - - - 834687- - - -[20/Feb/2012:22:32:10 ]"GET /assets/di.st/88166671/js/bootstrap/com mon.js HTTP/1.1" 200 127238 "http:// 'conversati.ons?ref=si._con" "Mozi.lla/5.0(Maci.ntosh; Intel Mac OS X 10.7; rv:10.0)Gecko/201001
- - - -01 Fi.refox/10.0" - -- 1 - - - 928201- - - - [20/Feb/2012:22:32:11 ]"GET /ossets/di.st/88166671/js/overlays/external-1 i.nk .js HTTP/1.1" 200 487 "http:// _ _ _ /conversati. ons?ref=si._con""Mozi.lla/5.0 (Maci.ntosh; Intel Mac OS X 10.7;rv:10.0)Gecko/201
, - - - - --
![Page 43: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/43.jpg)
43Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Attacks >
4
3
.2
0
Anomalies >
4
3
.2
9AM
09AM
10AM 1.A
![Page 44: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/44.jpg)
44Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Increase agility by surfacing securityvisibility for everyone, not just the security team
![Page 45: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/45.jpg)
45Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Having to talk to security to getsecurity awareness causesdelays
![Page 46: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/46.jpg)
46Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Having to talk to security to get security awareness causes delays
Delays get routed around
![Page 47: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/47.jpg)
47Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
To embrace agility, security has to decentralize
![Page 48: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/48.jpg)
48Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Lessons Learned:– Embracing DevOps/Agile/Continuous
Deployment helps not harms security
– Visibility is the key to moving quickly and safely
– You (in the general case) are never going to be able to hire enough staff, so steal everyone else’s
![Page 49: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/49.jpg)
49Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
More on SEI DevOps Bloghttps://insights.sei.cmu.edu/devopshttps://signalsciences.com/resources/
![Page 50: Security Practitioner Perspective on DevOps for Building Secure … · 2019-03-26 · • Dev and Ops together in all project meetings • Chat/Email/Wiki services available to all](https://reader034.vdocuments.site/reader034/viewer/2022042321/5f0ae0a87e708231d42dc843/html5/thumbnails/50.jpg)
50Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Thank you!
[email protected]@sei.cmu.edu
@zanelackey@securelifecycle