Real World Security @ DevSecOps Gathering (Sept '18)
- 1. Real World Security (for some definition of ‘real’)
- 2. This talk is NOT about ● Shifting left ● The pipeline ● Any particular tool or product ● How we do things ● How we communicate things ● How things fit into the big picture This talk IS about
- 3. Real World Requirements What are we building?
- 4. Pick ‘n Mix Security
- 5. As a security architect I want to use parameterised queries So that we’re covered from an OWASP Top 10 perspective Tickbox Security
- 7. Rethinking security requirements ● Use scenarios ● Involve the whole team ● Language matters
- 8. Getting Product Security Engineering Right “Rather than focusing on tactical objectives and policy documents, try to write down a concise mission statement explaining why you are a team in the first place, what specific business outcomes you are aiming for, how do you prioritize it, and how you want it all to change in a year or two. It should be a fluid narrative that reads right and that everybody on your team can take pride in” Michal Zalewski https://lcamtuf.blogspot.com/2018/02/getting-product-security-engineering.html
- 9. Betfair’s customer performance charter “Under peak loads, with performance measured at the 95th percentile, for typical user bandwidths and a 0% error rate, our users shall experience Visual Progress (header loaded) in less than 1 second. Time to interact with useful content within 1.5 seconds and full page loads within 3 seconds. (There is room for improvement on this front as our current sports home page loads in approx. 18 seconds at the 95th percentile). We will publish our aggregate stats here monthly.”
- 10. Betfair’s customer performance charter “Under peak loads, with performance measured at the 95th percentile, for typical user bandwidths and a 0% error rate, our users shall experience Visual Progress (header loaded) in less than 1 second. Time to interact with useful content within 1.5 seconds and full page loads within 3 seconds. (There is room for improvement on this front as our current sports home page loads in approx. 18 seconds at the 95th percentile). We will publish our aggregate stats here monthly.” Key: ● Where are we now ● What does success look like ● How will we measure it ● How will we show progress
- 11. Real World Visibility What are we running?
- 12. Many companies have... ● Separate Dev and Ops (and Sec) ● Many Dev teams but few Ops & Sec teams ● Projects, not products ● Live Services team doing BAU ● Unmaintained apps in prod ● Data centres, not cloud providers Dev Ops Sec
- 13. Why does this matter? ● We’re not just securing one app ● Securing one app well is of little value if others aren’t similarly secured ● Security doesn’t end with active development… it continues until software is decommissioned
- 14. One view to rule them all Catalogue
- 15. How do we fix this? (in draft)
- 17. Three Ps Participants Who’s involved in delivering secure software, and what is their role? Principles Security is Collaborative, Continuous, and Contextual Practices Organise, Build & Operate
- 18. Practices Organise OperateBuild e.g. Vulnerability Management, Incident Response, Training, Compliance & Policy, Intelligence, etc. e.g. Environment Provisioning, Security of the Pipeline, Deployment, Observability, Housekeeping, etc. e.g. Third Party Review, Story Triage, Pre Check-in, Security in the Pipeline, Deploy Decisions, etc.
- 19. Thank You Q & A