Adrian Sanabria, profile picture
Uploaded byAdrian Sanabria
PPTX, PDF1,260 views

Cloud, DevOps and the New Security Practitioner

The document discusses the evolving role of security practitioners amidst changes in technology such as cloud computing and DevOps, emphasizing the need for security to integrate more closely with IT functions. It highlights the challenges of traditional security approaches, advocates for asset owners to take responsibility for security, and suggests that practitioners should develop skills in automation, coding, and modern technologies. The conclusion calls for a shift in focus from traditional security practices to understanding broader technological trends and innovations.

Embed presentation

Downloaded 17 times
Cloud, DevOps and the New Security Practitioner 15, June 2016 1:30PM Adrian Sanabria Senior Security Analyst 451 Research To get a copy of these slides, send an email to sawaba@zip.sh with CSW2016 in the subject line or scan this QR code
Slide 2 Why are we here?  IT changes fast. Attackers change fast. Defenders don’t.  IT is changing  Attackers are adapting  The security discipline is diverging
Slide 3 Understanding security’s role by understanding IT Traditional approach to security:  Security is always a secondary or enabling layer  Security must have direct knowledge and experience with the underlying layer in order to be effective at protecting it or recommending feasible solutions  Direct experience in core technical disciplines goes a long way in earning respect and cooperation Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
Slide 4 Understanding security’s role by understanding IT Issues with the traditional approach:  Few security teams can ever be ‘well-rounded’ enough  Security team isn’t qualified to advise much of IT  Adversarial/dysfunctional relationships common  IT changes often; attackers adapt quickly  Defenders and security tools adapt slowly Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
Slide 5 Security Security’s changing role An example: going ‘cloud-first’  Lower-level IT layers are outsourced  Most security practitioner knowledge lies in these layers  Infrastructure-heavy security skillsets lose value  Concept of bi-modal IT further confuses things  As IT changes, so must security Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
Slide 6 Security’s changing role Cloud and DevOps – an opportunity to redesign security:  Smaller ‘well-rounded’ groups  Dev, ops, infrastructure and security roles are shared  Everyone working towards a clear, common goal  Relationship between security and developers is crucial  Security can’t impact delivery schedule Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security
Slide 7 Questions What should security’s future role be?  Security is redistributed into IT for all operational tasks  Dedicated security staff performs  high-level design, design/architectural input  monitor changes in risk/attackers/landscape  instruct/consult individual SMEs as needed Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security SME Internal Security Team Security SME Security SME Security SME
Slide 8 Increasingly, software resembles these principles Yesterday, Chef announced Habitat https://www.chef.io/blog/2016/06/14/introducing-habitat/ So… what’s up with the yin/yang visual metaphor? …and where’s security? Sec analysts are too
Slide 9 Chef Habitat, your latest shadow IT problem
Slide 10 New rule: if you own it, own it “Whomever is responsible for an asset – be it data, infrastructure, code, or people, must secure it”
Slide 11 Why make asset owners responsible?  No one knows and understands the opportunities, constraints and dependencies of the asset better  Security becomes a bottleneck for performance, progress and often, even security  Little to no time wasted on remediation conflict: what to fix, how to fix it, when and at what priority level  Likely that fewer security issues will occur*  Drives the cost of securing systems down, in terms of labor, efficiency and efficacy** * I’ll explain later ** I’ll explain after that
Slide 12 Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson Reads like a short version of the Phoenix Project
Slide 13 Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson  Creating an independent testing group can encourage counterproductive culture  “Don’t do today what you can push off onto someone else’s plate”  Document and address low hanging fruit  Schedule time for developers to test and fix bugs  To improve code quality, stop the problem at the source  Everyone should understand what they’re building and why  Get testers involved earlier in the process  Bottleneck testing resources and developers are forced to ship higher quality code http://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf
Slide 14 Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson  Could this apply to InfoSec?  Surely not.  In fact, it might be quite worse.  We’ve convinced everyone not just that security is our job, but that we’re the only ones that can do it properly.  What if they believed us?
Slide 15 Jobs!
Slide 16 The Enterprise Looked Like This
Slide 17 Then, the Enterprise Looked Like This
Slide 18 Today, the Enterprise Looks Like This
Slide 19 Storage Database Networking Enterprise as a service App Services Mobile Dev Tools
Slide 20 This is not now.
Slide 21 So… you want to give away our jobs?  Traditional InfoSec doesn’t have to worry for a while  Be aware of the change  Learn new things now – don’t wait for later Currently, new security jobs are often NOT going to security practitioners, and we’ll discuss why…
Slide 22 The Security Practitioner: old versus new  Monitoring security alerts  Manage network security  Manage endpoint security  IR/Forensics  Pentesting  Vulnerability Scanning  Policies/Standards  Compliance/Regs  Log management  DR/BCP and SecAware  Influence design, architecture standards, processes  Automate tasks  Forensics  Security assessments  Identify gaps and recommend fixes  JSON, REST, XML, SQL  Routing, load balancing, nw protocols
Slide 23 How common?  6 out of the first 10 jobs I looked at required:  coding skills  new tech generation experience and/or skills
Slide 24 Like what experience or skills?  “Ability to automate tasks using scripting or other programming language”  “Scripting or general purpose programming languages”  REST, JSON, XML (API scripting)  “Experience with DevOps, CI/CD, Chef, Puppet”  “Experience testing for vulnerabilities in Ruby on Rails applications”  “Experience with various scripting and programming languages”  “Teach secure coding practices to software engineers”
Slide 25 What should I learn?  Scripting (automation)  Get familiar with cloud, agile, devops, containers, microservices, etc.  AppSec  Data protection  Learn to write code
Slide 26 What should I learn?  Cloud – focus on AWS, Azure, Digital Ocean (cheap)  Containers – focus on Docker  Pick a language - ruby and python are most common  Jenkins  Ansible, Chef, Puppet, Salt  New attack surface  Don’t make security worse!  Automation  Make security better!
Slide 27 How should I learn it?  Good starting point: find a security guy that loves to automate security and plunder his GitHub: https://github.com/averagesecurityguy  And more: https://github.com/krmaxwell  https://github.com/nbrownus  Slack makes cool stuff  Go after AWS Certs just to learn AWS  Digital Ocean Tutorials
Slide 28 Resources – efficiency and workflow Learning to recognize efficiency and workflow issues; challenging ”because we’ve always done it that way”  Better Testing, Worse Quality, Elizabeth Hendrickson  Four Hour Work Week, Tim Ferris  The Phoenix Project, Kevin Behr, George Spafford, Gene Kim  Signal v. Noise 37Signals blogs (on medium) and books  ReWork by the Basecamp guys
Slide 29 Resources – new ideas New ideas – challenge assumptions, push thinking …also, VIDEOS!  Distributed Security Alerting by Ryan Huber (blog)  Security Automation by Ryan Huber (video)  What Got Us Here Won’t Get Us There Black Hat keynote by Haroon Meer  Cloud Computing – Why IT Matters by Simon Wardley at OSCON 09
Slide 30 Conclusion If you want to understand where security is going, stop looking at security, and start following IT innovation, trends and changes
THANK YOU! Adrian Sanabria @sawaba Adrian.Sanabria@451Research.com To get a copy of these slides, send an email to sawaba@zip.sh with CSW2016 in the subject line or scan this QR code

More Related Content

PPTX
Security and DevOps Overview
byAdrian Sanabria
 
PPTX
Open Source Defense for Edge 2017
byAdrian Sanabria
 
PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
PPTX
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
PPTX
2016 virus bulletin
byAdrian Sanabria
 
PPTX
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
byAdrian Sanabria
 
PPTX
RSAC 2016: CISO's guide to Startups
byAdrian Sanabria
 
PPTX
Ten Security Product Categories You've Probably Never Heard Of
byAdrian Sanabria
 
Security and DevOps Overview
byAdrian Sanabria
 
Open Source Defense for Edge 2017
byAdrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
2016 virus bulletin
byAdrian Sanabria
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
byAdrian Sanabria
 
RSAC 2016: CISO's guide to Startups
byAdrian Sanabria
 
Ten Security Product Categories You've Probably Never Heard Of
byAdrian Sanabria
 

What's hot

PPTX
The Teams Behind DevSecOps
byUleska
 
PPTX
DevSecCon KeyNote London 2015
byShannon Lietz
 
PPTX
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PDF
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PDF
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
PPTX
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
PPTX
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
PDF
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
PPTX
S360 2015 dev_secops_program
byShannon Lietz
 
PDF
Why does security matter for devops by Caroline Wong
byDevSecCon
 
PDF
Chaos engineering for cloud native security
byKennedy
 
PPTX
Finding Security a Home in a DevOps World
byShannon Lietz
 
PDF
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
byDJ Schleen
 
The Teams Behind DevSecOps
byUleska
 
DevSecCon KeyNote London 2015
byShannon Lietz
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
The Future of DevSecOps
byStefan Streichsbier
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
The Journey to DevSecOps
bySeniorStoryteller
 
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
S360 2015 dev_secops_program
byShannon Lietz
 
Why does security matter for devops by Caroline Wong
byDevSecCon
 
Chaos engineering for cloud native security
byKennedy
 
Finding Security a Home in a DevOps World
byShannon Lietz
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
byDJ Schleen
 

Similar to Cloud, DevOps and the New Security Practitioner

PPTX
Fortify-Application_Security_Foundation_Training.pptx
byVictoriaChavesta
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
byYoisRoberthTapiadeLa
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PPTX
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
PPTX
Digital Product Security
bySoftServe
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
PDF
Introduction to Cybersecurity
byKrutarth Vasavada
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PDF
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
PDF
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
byMatthew Rosenquist
 
PDF
How to get started in cybersecurity
byStephen Jesukanth Martin
 
PDF
Securing the Digital Frontier - An Analysis of Cybersecurity Landscape and Tr...
byDraup3
 
PPTX
The New Security Practitioner
byAdrian Sanabria
 
PPTX
NZISF Talk: Six essential security services
byHinne Hettema
 
PDF
Cloud Security Summit - InfoSec World 2014
byBill Burns
 
PPTX
What affects security program confidence? - may2014 - bill burns
byBill Burns
 
PDF
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 
PPT
Presentation to Irish ISSA Conference 12-May-11
byMichael Ofarrell
 
PDF
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
bySreejesh Madonandy
 
PDF
Cybersecurity Management Principles, 11 - 14 Sept 2017 KL, Malaysia / 17 - 20...
by360 BSI
 
Fortify-Application_Security_Foundation_Training.pptx
byVictoriaChavesta
 
Fortify-Application_Security_Foundation_Training.pptx
byYoisRoberthTapiadeLa
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
Digital Product Security
bySoftServe
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
Introduction to Cybersecurity
byKrutarth Vasavada
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
byMatthew Rosenquist
 
How to get started in cybersecurity
byStephen Jesukanth Martin
 
Securing the Digital Frontier - An Analysis of Cybersecurity Landscape and Tr...
byDraup3
 
The New Security Practitioner
byAdrian Sanabria
 
NZISF Talk: Six essential security services
byHinne Hettema
 
Cloud Security Summit - InfoSec World 2014
byBill Burns
 
What affects security program confidence? - may2014 - bill burns
byBill Burns
 
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 
Presentation to Irish ISSA Conference 12-May-11
byMichael Ofarrell
 
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
bySreejesh Madonandy
 
Cybersecurity Management Principles, 11 - 14 Sept 2017 KL, Malaysia / 17 - 20...
by360 BSI
 

More from Adrian Sanabria

PPTX
451 and Cylance - The Roadmap To Better Endpoint Security
byAdrian Sanabria
 
PPTX
The state of endpoint defense in 2021
byAdrian Sanabria
 
PPTX
Red Team Framework
byAdrian Sanabria
 
PPTX
Equifax Breach Postmortem
byAdrian Sanabria
 
PDF
The Products We Deserve
byAdrian Sanabria
 
PPTX
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
PPTX
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
byAdrian Sanabria
 
PPTX
Ten security product categories you've (probably) never heard of
byAdrian Sanabria
 
PDF
2019 InfoSec Buyer's Guide
byAdrian Sanabria
 
PPTX
From due diligence to IoT disaster
byAdrian Sanabria
 
PPTX
Lies and Myths in InfoSec - 2023 Usenix Enigma
byAdrian Sanabria
 
PPTX
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
byAdrian Sanabria
 
PPTX
Why does InfoSec play bass?
byAdrian Sanabria
 
PPTX
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
byAdrian Sanabria
 
PPTX
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
byAdrian Sanabria
 
451 and Cylance - The Roadmap To Better Endpoint Security
byAdrian Sanabria
 
The state of endpoint defense in 2021
byAdrian Sanabria
 
Red Team Framework
byAdrian Sanabria
 
Equifax Breach Postmortem
byAdrian Sanabria
 
The Products We Deserve
byAdrian Sanabria
 
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
byAdrian Sanabria
 
Ten security product categories you've (probably) never heard of
byAdrian Sanabria
 
2019 InfoSec Buyer's Guide
byAdrian Sanabria
 
From due diligence to IoT disaster
byAdrian Sanabria
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
byAdrian Sanabria
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
byAdrian Sanabria
 
Why does InfoSec play bass?
byAdrian Sanabria
 
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
byAdrian Sanabria
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
byAdrian Sanabria
 

Recently uploaded

PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PPTX
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 

Cloud, DevOps and the New Security Practitioner

  • 1.
    Cloud, DevOps andthe New Security Practitioner 15, June 2016 1:30PM Adrian Sanabria Senior Security Analyst 451 Research To get a copy of these slides, send an email to [email protected] with CSW2016 in the subject line or scan this QR code
  • 2.
    Slide 2 Why arewe here?  IT changes fast. Attackers change fast. Defenders don’t.  IT is changing  Attackers are adapting  The security discipline is diverging
  • 3.
    Slide 3 Understanding security’srole by understanding IT Traditional approach to security:  Security is always a secondary or enabling layer  Security must have direct knowledge and experience with the underlying layer in order to be effective at protecting it or recommending feasible solutions  Direct experience in core technical disciplines goes a long way in earning respect and cooperation Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  • 4.
    Slide 4 Understanding security’srole by understanding IT Issues with the traditional approach:  Few security teams can ever be ‘well-rounded’ enough  Security team isn’t qualified to advise much of IT  Adversarial/dysfunctional relationships common  IT changes often; attackers adapt quickly  Defenders and security tools adapt slowly Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  • 5.
    Slide 5 Security Security’s changingrole An example: going ‘cloud-first’  Lower-level IT layers are outsourced  Most security practitioner knowledge lies in these layers  Infrastructure-heavy security skillsets lose value  Concept of bi-modal IT further confuses things  As IT changes, so must security Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  • 6.
    Slide 6 Security’s changingrole Cloud and DevOps – an opportunity to redesign security:  Smaller ‘well-rounded’ groups  Dev, ops, infrastructure and security roles are shared  Everyone working towards a clear, common goal  Relationship between security and developers is crucial  Security can’t impact delivery schedule Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security
  • 7.
    Slide 7 Questions What shouldsecurity’s future role be?  Security is redistributed into IT for all operational tasks  Dedicated security staff performs  high-level design, design/architectural input  monitor changes in risk/attackers/landscape  instruct/consult individual SMEs as needed Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security SME Internal Security Team Security SME Security SME Security SME
  • 8.
    Slide 8 Increasingly, softwareresembles these principles Yesterday, Chef announced Habitat https://www.chef.io/blog/2016/06/14/introducing-habitat/ So… what’s up with the yin/yang visual metaphor? …and where’s security? Sec analysts are too
  • 9.
    Slide 9 Chef Habitat,your latest shadow IT problem
  • 10.
    Slide 10 New rule:if you own it, own it “Whomever is responsible for an asset – be it data, infrastructure, code, or people, must secure it”
  • 11.
    Slide 11 Why makeasset owners responsible?  No one knows and understands the opportunities, constraints and dependencies of the asset better  Security becomes a bottleneck for performance, progress and often, even security  Little to no time wasted on remediation conflict: what to fix, how to fix it, when and at what priority level  Likely that fewer security issues will occur*  Drives the cost of securing systems down, in terms of labor, efficiency and efficacy** * I’ll explain later ** I’ll explain after that
  • 12.
    Slide 12 Better Testing,Worse Quality? Study done in 2000 by Elizabeth Hendrickson Reads like a short version of the Phoenix Project
  • 13.
    Slide 13 Better Testing,Worse Quality? Study done in 2000 by Elizabeth Hendrickson  Creating an independent testing group can encourage counterproductive culture  “Don’t do today what you can push off onto someone else’s plate”  Document and address low hanging fruit  Schedule time for developers to test and fix bugs  To improve code quality, stop the problem at the source  Everyone should understand what they’re building and why  Get testers involved earlier in the process  Bottleneck testing resources and developers are forced to ship higher quality code http://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf
  • 14.
    Slide 14 Better Testing,Worse Quality? Study done in 2000 by Elizabeth Hendrickson  Could this apply to InfoSec?  Surely not.  In fact, it might be quite worse.  We’ve convinced everyone not just that security is our job, but that we’re the only ones that can do it properly.  What if they believed us?
  • 15.
  • 16.
    Slide 16 The EnterpriseLooked Like This
  • 17.
    Slide 17 Then, theEnterprise Looked Like This
  • 18.
    Slide 18 Today, theEnterprise Looks Like This
  • 19.
    Slide 19 Storage Database Networking Enterprise asa service App Services Mobile Dev Tools
  • 20.
  • 21.
    Slide 21 So… youwant to give away our jobs?  Traditional InfoSec doesn’t have to worry for a while  Be aware of the change  Learn new things now – don’t wait for later Currently, new security jobs are often NOT going to security practitioners, and we’ll discuss why…
  • 22.
    Slide 22 The SecurityPractitioner: old versus new  Monitoring security alerts  Manage network security  Manage endpoint security  IR/Forensics  Pentesting  Vulnerability Scanning  Policies/Standards  Compliance/Regs  Log management  DR/BCP and SecAware  Influence design, architecture standards, processes  Automate tasks  Forensics  Security assessments  Identify gaps and recommend fixes  JSON, REST, XML, SQL  Routing, load balancing, nw protocols
  • 23.
    Slide 23 How common? 6 out of the first 10 jobs I looked at required:  coding skills  new tech generation experience and/or skills
  • 24.
    Slide 24 Like whatexperience or skills?  “Ability to automate tasks using scripting or other programming language”  “Scripting or general purpose programming languages”  REST, JSON, XML (API scripting)  “Experience with DevOps, CI/CD, Chef, Puppet”  “Experience testing for vulnerabilities in Ruby on Rails applications”  “Experience with various scripting and programming languages”  “Teach secure coding practices to software engineers”
  • 25.
    Slide 25 What shouldI learn?  Scripting (automation)  Get familiar with cloud, agile, devops, containers, microservices, etc.  AppSec  Data protection  Learn to write code
  • 26.
    Slide 26 What shouldI learn?  Cloud – focus on AWS, Azure, Digital Ocean (cheap)  Containers – focus on Docker  Pick a language - ruby and python are most common  Jenkins  Ansible, Chef, Puppet, Salt  New attack surface  Don’t make security worse!  Automation  Make security better!
  • 27.
    Slide 27 How shouldI learn it?  Good starting point: find a security guy that loves to automate security and plunder his GitHub: https://github.com/averagesecurityguy  And more: https://github.com/krmaxwell  https://github.com/nbrownus  Slack makes cool stuff  Go after AWS Certs just to learn AWS  Digital Ocean Tutorials
  • 28.
    Slide 28 Resources –efficiency and workflow Learning to recognize efficiency and workflow issues; challenging ”because we’ve always done it that way”  Better Testing, Worse Quality, Elizabeth Hendrickson  Four Hour Work Week, Tim Ferris  The Phoenix Project, Kevin Behr, George Spafford, Gene Kim  Signal v. Noise 37Signals blogs (on medium) and books  ReWork by the Basecamp guys
  • 29.
    Slide 29 Resources –new ideas New ideas – challenge assumptions, push thinking …also, VIDEOS!  Distributed Security Alerting by Ryan Huber (blog)  Security Automation by Ryan Huber (video)  What Got Us Here Won’t Get Us There Black Hat keynote by Haroon Meer  Cloud Computing – Why IT Matters by Simon Wardley at OSCON 09
  • 30.
    Slide 30 Conclusion If youwant to understand where security is going, stop looking at security, and start following IT innovation, trends and changes
  • 31.
    THANK YOU! Adrian Sanabria @sawaba [email protected] Toget a copy of these slides, send an email to [email protected] with CSW2016 in the subject line or scan this QR code

Editor's Notes

  • #2 MIS Training Institute Section # - Page 1 XXXXXX XXX ©
  • #4 We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  • #5 We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  • #6 We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  • #7 We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  • #8 Just an idea – doesn’t have to be precisely like this. Depends on the business, the culture, trial/error and a hundred other factors. The general idea though, is to get security responsibility and expertise closer to where the work is done.
  • #10 Do you have any DevOps-excitable people back at the office? They’ll have this running by the time you get back there. You’re welcome for the heads up ;) But look at that! Security! Built-in, not bolted on! Well, in theory – we still need to dig into this.
  • #13 Introduced an independent test unit, which made the number of bugs go up and software quality go down.
  • #14 Findings More QA = more bugs and longer cycles Created the psychological impact of telling developers that quality is someone else’s problem Insulting; percieved lack of empathy and respect for the developer Solution Tight relationships necessary between QA and Dev QA remains, but with an artificial bottleneck Developers still responsible for deadlines and therefore have to ‘budget’ time for QA Devs write better code to ensure it goes through QA quickly Devs need to be given 10% extra time to ensure better quality code.
  • #15 Also, remember – the two are inseparably linked. When we talk about code quality, we’re also often talking about security - issues with quality is where vulnerabilities come from, right?
  • #20 I’m using AWS as an example here, because it represents one extreme. There are 55 products on this page, but only one of them is for running virtual servers. Can we even call this cloud? It is probably better to think of large public clouds like AWS instead, as a development framework. You could just forklift most of your datacenter and applications into AWS, but you wouldn’t be getting a lot of value out of it.
  • #22 If we’re not well equipped to handle them? Yes. Otherwise… my research shows that they’re already being given away to non-security folks. Turns out, it is easier to take someone with a dev background and skills and teach them security than to take security folks and teach them dev & low tolerance for inefficiency.  Again, this aligns with the mainframe/Windows admin analogy
  • #25 SR DevSecOps Engineer "we are a cloud first, mobile first company" "capable of working in a multi-platform environment" Scripting: PowerShell, Python, Perl, Ruby Ability to automate tasks using scripting or other programming language. Demonstrated expertise in web services, virtualization, cloud concepts, REST, JSON, XML, SQL, PHP, LDAP, & object oriented methodologies. Senior InfoSec Analyst (SecOps role) Scripting or general purpose programming languages (Javascript, Perl, PHP, Powershell, Python, etc.) Representational state transfer (REST) APIs Software Security Analyst Lots of software stuff Technical Manager, AppSec Experience deploying systems and applications using cloud solutions (e.g. Amazon AWS, Azure) Experience with DevOps, CI/CD, Chef, Puppet Application security – secure SDLC practices, secure coding, application vulnerabilities, DAST, SAST, RASP, WAF Security Engineer Teach secure coding practices to software engineers through regular code reviews Validate and triage vulnerabilities submitted by researchers from our bug bounty program Design automated tests to ensure secure coding practices are followed Experience testing for vulnerabilities in Ruby on Rails applications Solid understanding of web security fundamentals Information Security Analyst/Engineer Experience with various scripting and programming languages such as Python, Perl, Java, etc. Experience with C and/or C++ would be awesome. Experience with both RDBMS (MySQL) and NoSQL (Cassandra, Couchbase, Mongo). Experience with and proven methods for analyzing and interpreting information from Security Operations Centers (SOCs), Computer Security Incident Response Teams (CSIRTs), or SecOps systems. Experience deploying, monitoring, and managing the information security risk posture with open source tools, to include: Moloch, ElasticSearch + Logstash + Kibana (The ELK stack), SIEMonster, Bro, Snort, Suricata, Syslog, Cuckoo, etc. Proficiency with using and securing popular cloud services (SAAS, IAAS, etc.). Security Ops Engineer at Slack Responsibilities Create and develop solutions to improve Slack’s Security stack Build and maintain the state of the art systems that help make Slack more secure Automate tooling and process to eliminate as much manual work as possible Collaborate with Slack’s operations team and advise on best practices Help improve signal detection and alerting capabilities Participate in the on-call rotation supporting the security team’s infrastructure Requirements You have a background in development or operations with a strong interest in security You are proficient in at least one programming language, such as Python, Go, Node, PHP, Ruby, *sh, etc. You have strong written and verbal communication skills You have a solid understanding of web application architecture You write readable, maintainable code You have a solid background using Linux and *nix operating systems You have experience working with git for source code management You have used configuration management tools (Ansible, Chef, Puppet, etc) You have experience with administration of cloud services, such as AWS
  • #26 “Learn to write code”, what does that mean? Doesn’t mean you have to learn to write UI, mobile apps, create database schemas and all that. It means you should be able to recognize opportunities to make a task more efficient and write the code to implement that change Learn to do it for ordinary, boring things. ESPECIALLY that. Automate the boring.
  • #32 MIS Training Institute Section # - Page 31 XXXXXX XXX ©