Shannon Lietz, profile picture
Uploaded byShannon Lietz
PPTX, PDF504 views

S360 2015 dev_secops_program

The document discusses the evolution and implementation of DevSecOps, emphasizing the need for speed and integration in security practices as organizations migrate to cloud environments. It outlines the principles and mindset required for DevSecOps, the challenges faced in security staffing, and the importance of fostering a customer-focused, iterative approach. Additionally, it highlights emerging trends, collaboration with cloud service providers, and the potential risks and innovations associated with adopting this approach.

Technologyâ—¦

Embed presentation

Downloaded 38 times
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Establishing a DevSecOps Program Shannon Lietz DevSecOps Leader & Sr. Mgr Cloud Security Engineering at Intuit
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Who I am • 25+ years Technology and Security Experience • Background in Security R&D • Working with the Cloud before it was called the “Cloud” • Manage my teams using DevOps and Scrum • IR & Crisis Management -- FOUNDER --
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org How was DevSecOps discovered? Securing at the rate of Innovation… • Pain • Trial & Error • Blood, sweat & tears • Ouch, my head hurts! It would have been great to hear this talk a couple years ago…. Bang Head Here
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Case for Change • DevOps, Agile and Scrum on the rise… • Workload migrations to software defined environments…. • Enterprises increasingly turning to Public and Private Cloud Providers… • Talent migrating to progressive companies willing to embrace change… • Start-ups now have game changing capabilities available for rent… Public Cloud • Competitive landscape has been changing…
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org What is DevSecOps? Problem Statement • DevOps requires continuous Deployments • Fast decision making is critical to DevOps success • Traditional Security just doesn’t scale or move fast enough… Welcome DevSecOps!! • Customer focused Mindset • Scale, Scale, Scale • Objective Criteria • Proactive Hunting • Continuous Detection & Response
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Emerging Security Trends • Shortage of Security Professionals • Big companies are attempting to scale security to move faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason Chan, Gene Kim, Josh Corman • Introduction of DevSecOps at MIRCon in 2014 • SecDevOps at RSA 2015 was full day of dedicated content • LinkedIn People Search: 8 DevSecOps, 7 SecDevOps, 7 DevOpsSec, 29k+ Cloud Security
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org The Art of DevSecOps DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Getting Started Some basic principles: • You don’t need to do all of DevSecOps at once. • Small security teams can have a profound impact. • Organize around self-service. • Figure out how to communicate security for the layperson.
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Path to DevSecOps Security as Code? Experiment: Automate Policy Governance Security Operations? Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps toolkit Experiment: Science via Profiling DevOps + Security DevOps + DevSecOps Compliance Operations? Science? Start Here?
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org The DevSecOps Mindset • Customer Focus • Open & Transparent • Iteration over Perfection • Hunting over Reaction • Hmmm - wait a minute, this sounds like a manifesto -> insert shameless plug here: http://www.devsecops.org
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org What’s the Work of a DevSecOps Team? Imagine that you will need to support all facets of security inline with development teams and at speed… • Do you have enough security experts to embed resources in DevOps teams? • Have you got amazing talent that would rather hunt for Security defects than create value? • Are you ready to invest in Self-Service for Security? • Are you working with a Cloud environment and can your team code?
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Ready to make these decisions? On-Prem Partial On-Prem Outsource w/ No Indemnif. Outsource w/ Part.Indemnif. Outsource w/ Full Indemnif. Who is responsible? INTERNAL You You You You + Partner Partner PARTNERS Which minimal controls are needed? Physical Security; Secure Handling & Disposal File or Object Encryption for Sensitive Data; Physical Security; Secure Handling & Disposal File or Object Encryption for Sensitive Data; Partner Security; SOC Attestation File or Object Encryption for Sensitive Data; Partner Security; SOC Attestation Partner Security Controls; SOC Attestation Where does data transit and get stored? company “owned” data center or co- location any compute & transit; data stored on-prem public cloud; free services SaaS; public cloud; free services; private cloud managed services; SaaS; private cloud What are the innovation benefits? reduced latency; search sensitive data speed; reduced friction; search sensitive data speed; reduced friction; evolving patterns; community speed; reduced friction; evolving patterns; community speed; reduced friction; indemnification What are the potential risks? SQL Injection; Internal Threats; Mistakes; Phishing; Increased Friction; Slow Latency; SQL Injection; Internal Threats; Mistakes; Phishing; Increased Friction; Slow Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown; Reduced Financial responsibility Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Or set up “policies” that look like this… { "Version": "2015-05-09", "Statement": { "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetAccountPasswordPolicy" ], "Resource": "*" } }
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org And how do you hunt for security issues in software defined environments?
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Can you communicate security complexity using simple processes? 1Discover 2Evaluate 3Control 4Communicate
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org More importantly, how do you translate? begin (iam.client.list_role_policies(:role_name => role)[:policy_names] - roledb.list_policies(role)).each do |policy| log.warn("Deleting Policy "#{policy}", which is not part of the approved baseline.") if policydiff("{}", URI.decode(iam.client.get_role_policy( :role_name => role, :policy_name => policy )[:policy_document]), {:argv => ARGV, :diff => options.diff}) end options.dryrun ? nil : iam.client.delete_role_policy( :role_name => role, :policy_name => policy ) end Account Grade: BHeal Account?
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Consider the DevSecOps Approach: Incident Drive Development (IDD) • Share your Security Tools within everyone in your organization • Everything is an incident, how you deal with it is a matter of priority and severity • Running campaigns & internal bounty programs, consider giving out t-shirts • Use your security experts as scientists • Keep Investigations separate
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Your environment should look something like this… insights security sciencesecurity tools & data AWS accounts S3 Glacier EC2 CloudTrail ingestion threat intel
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org And your team will need to operate like this… Central Account (Trusted) Admin IAM IAMIAM IAM IAM IAM BU Accounts (Trusting) SecRole SecRole SecRole SecRole SecRole SecRole IAM How did we decide which roles would be deployed? • Human • IAM Admin • Incident Response • Read Only • Services • IAM Grantor • Instance Roles required to support security services • Read Only
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org It’s not easy but it can make a difference… • Security stops being the reason nothing gets done. • Everyone in your organization is responsible for security. • Security can be a differentiator in most organizations and leads to its own innovation discovery
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Vendors embracing DevSecOps • AWS • TAP by Mandiant • SumoLogic • Splunk • OpenDNS • Evident.io • AlertLogic • Tanium • Outlier Security • Continuum Security
Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Resources • http://www.devsecops.org • @devsecops • LinkedIn Group: DevSecOps • Github: DevSecOps • shannon@devsecops.org

More Related Content

PPTX
DevSecCon KeyNote London 2015
byShannon Lietz
 
PPTX
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PPTX
Finding Security a Home in a DevOps World
byShannon Lietz
 
PPTX
ISACA Ireland Keynote 2015
byShannon Lietz
 
PPTX
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
PDF
Security at the Speed of Software Development
byDevOps.com
 
PPTX
Security as Code owasp
byShannon Lietz
 
DevSecCon KeyNote London 2015
byShannon Lietz
 
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
The Journey to DevSecOps
bySeniorStoryteller
 
Finding Security a Home in a DevOps World
byShannon Lietz
 
ISACA Ireland Keynote 2015
byShannon Lietz
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
Security at the Speed of Software Development
byDevOps.com
 
Security as Code owasp
byShannon Lietz
 

What's hot

PPTX
The Teams Behind DevSecOps
byUleska
 
PPTX
Security and DevOps Overview
byAdrian Sanabria
 
PDF
Securing DevOps Lifecycle
byDevOps Indonesia
 
PPTX
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
byJason Mashak
 
PDF
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
byJason Mashak
 
PPTX
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
PPTX
Runecast Analyzer Overview
byStanimir Markov
 
PDF
Chaos Engineering - The Art of Breaking Things in Production
byKeet Sugathadasa
 
PPTX
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
PPTX
Overcoming Security Challenges in DevOps
byAlert Logic
 
PDF
Chaos engineering for cloud native security
byKennedy
 
PDF
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
byDJ Schleen
 
The Teams Behind DevSecOps
byUleska
 
Security and DevOps Overview
byAdrian Sanabria
 
Securing DevOps Lifecycle
byDevOps Indonesia
 
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
byJason Mashak
 
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
byJason Mashak
 
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
Runecast Analyzer Overview
byStanimir Markov
 
Chaos Engineering - The Art of Breaking Things in Production
byKeet Sugathadasa
 
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
Overcoming Security Challenges in DevOps
byAlert Logic
 
Chaos engineering for cloud native security
byKennedy
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
byDJ Schleen
 

Viewers also liked

PDF
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
PDF
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
byDevSecCon
 
PDF
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
byDevSecCon
 
PDF
How to Achieve Agile API Security
byApigee | Google Cloud
 
PDF
RoboCop: Bringing Law and Order to CI/CD
byFranklin Mosley
 
PPTX
DevSecCon Keynote
byShannon Lietz
 
PPTX
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
PPTX
The Journey to DevSecOps
byShannon Lietz
 
PDF
Securing the container DevOps pipeline by William Henry
byDevSecCon
 
PPT
DevSecOps SG Introduction - August Meetup
byDevSecOpsSg
 
PPT
DevSecOps Singapore introduction
byStefan Streichsbier
 
PDF
Dev seccon london 2016 intelliment security
byDevSecCon
 
PDF
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
byDevSecCon
 
PDF
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
PPTX
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
byDevSecCon
 
PPTX
DevSecCon Asia 2017 Arun N: Securing chatops
byDevSecCon
 
PPTX
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
bySeniorStoryteller
 
PDF
Justin collins - Practical Static Analysis for continuous application delivery
byDevSecCon
 
PDF
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
byDevSecCon
 
PDF
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
byDevSecCon
 
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
byDevSecCon
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
byDevSecCon
 
How to Achieve Agile API Security
byApigee | Google Cloud
 
RoboCop: Bringing Law and Order to CI/CD
byFranklin Mosley
 
DevSecCon Keynote
byShannon Lietz
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
The Journey to DevSecOps
byShannon Lietz
 
Securing the container DevOps pipeline by William Henry
byDevSecCon
 
DevSecOps SG Introduction - August Meetup
byDevSecOpsSg
 
DevSecOps Singapore introduction
byStefan Streichsbier
 
Dev seccon london 2016 intelliment security
byDevSecCon
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
byDevSecCon
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
byDevSecCon
 
DevSecCon Asia 2017 Arun N: Securing chatops
byDevSecCon
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
bySeniorStoryteller
 
Justin collins - Practical Static Analysis for continuous application delivery
byDevSecCon
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
byDevSecCon
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
byDevSecCon
 

Similar to S360 2015 dev_secops_program

PPTX
Finding-Security-A-Home-In-A-DevOps-World.pptx
byalejandro415203
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PDF
Pentest is yesterday, DevSecOps is tomorrow
byAmien Harisen Rosyandino
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
PDF
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PDF
Security & DevOps - What We Have Here Is a Failure to Communicate!
byDevOps.com
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
PDF
DevSecOps What Why and How
byNotSoSecure Global Services
 
PDF
DevOps vs DevSecOps_ What CTOs Must Know Before Scaling Securely.pdf
byDevseccops.ai
 
PPTX
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
PDF
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
PDF
DevSecOps Implement Making Security Central to Your DevOps Pipeline
byEnov8
 
PPTX
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
byTroy Marshall
 
PDF
Why does security matter for devops by Caroline Wong
byDevSecCon
 
PDF
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
byTexas.gov
 
Finding-Security-A-Home-In-A-DevOps-World.pptx
byalejandro415203
 
The What, Why, and How of DevSecOps
byCprime
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Introduction to DevSecOps
bySetu Parimi
 
Pentest is yesterday, DevSecOps is tomorrow
byAmien Harisen Rosyandino
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
byDevOps.com
 
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
DevSecOps What Why and How
byNotSoSecure Global Services
 
DevOps vs DevSecOps_ What CTOs Must Know Before Scaling Securely.pdf
byDevseccops.ai
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
byEnov8
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
byTroy Marshall
 
Why does security matter for devops by Caroline Wong
byDevSecCon
 
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
byTexas.gov
 

Recently uploaded

PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
MathML Core in WebKit
byIgalia
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 

S360 2015 dev_secops_program

  • 1.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Establishing a DevSecOps Program Shannon Lietz DevSecOps Leader & Sr. Mgr Cloud Security Engineering at Intuit
  • 2.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Who I am • 25+ years Technology and Security Experience • Background in Security R&D • Working with the Cloud before it was called the “Cloud” • Manage my teams using DevOps and Scrum • IR & Crisis Management -- FOUNDER --
  • 3.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org How was DevSecOps discovered? Securing at the rate of Innovation… • Pain • Trial & Error • Blood, sweat & tears • Ouch, my head hurts! It would have been great to hear this talk a couple years ago…. Bang Head Here
  • 4.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Case for Change • DevOps, Agile and Scrum on the rise… • Workload migrations to software defined environments…. • Enterprises increasingly turning to Public and Private Cloud Providers… • Talent migrating to progressive companies willing to embrace change… • Start-ups now have game changing capabilities available for rent… Public Cloud • Competitive landscape has been changing…
  • 5.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org What is DevSecOps? Problem Statement • DevOps requires continuous Deployments • Fast decision making is critical to DevOps success • Traditional Security just doesn’t scale or move fast enough… Welcome DevSecOps!! • Customer focused Mindset • Scale, Scale, Scale • Objective Criteria • Proactive Hunting • Continuous Detection & Response
  • 6.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Emerging Security Trends • Shortage of Security Professionals • Big companies are attempting to scale security to move faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason Chan, Gene Kim, Josh Corman • Introduction of DevSecOps at MIRCon in 2014 • SecDevOps at RSA 2015 was full day of dedicated content • LinkedIn People Search: 8 DevSecOps, 7 SecDevOps, 7 DevOpsSec, 29k+ Cloud Security
  • 7.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org The Art of DevSecOps DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast
  • 8.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Getting Started Some basic principles: • You don’t need to do all of DevSecOps at once. • Small security teams can have a profound impact. • Organize around self-service. • Figure out how to communicate security for the layperson.
  • 9.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Path to DevSecOps Security as Code? Experiment: Automate Policy Governance Security Operations? Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps toolkit Experiment: Science via Profiling DevOps + Security DevOps + DevSecOps Compliance Operations? Science? Start Here?
  • 10.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org The DevSecOps Mindset • Customer Focus • Open & Transparent • Iteration over Perfection • Hunting over Reaction • Hmmm - wait a minute, this sounds like a manifesto -> insert shameless plug here: http://www.devsecops.org
  • 11.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org What’s the Work of a DevSecOps Team? Imagine that you will need to support all facets of security inline with development teams and at speed… • Do you have enough security experts to embed resources in DevOps teams? • Have you got amazing talent that would rather hunt for Security defects than create value? • Are you ready to invest in Self-Service for Security? • Are you working with a Cloud environment and can your team code?
  • 12.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Ready to make these decisions? On-Prem Partial On-Prem Outsource w/ No Indemnif. Outsource w/ Part.Indemnif. Outsource w/ Full Indemnif. Who is responsible? INTERNAL You You You You + Partner Partner PARTNERS Which minimal controls are needed? Physical Security; Secure Handling & Disposal File or Object Encryption for Sensitive Data; Physical Security; Secure Handling & Disposal File or Object Encryption for Sensitive Data; Partner Security; SOC Attestation File or Object Encryption for Sensitive Data; Partner Security; SOC Attestation Partner Security Controls; SOC Attestation Where does data transit and get stored? company “owned” data center or co- location any compute & transit; data stored on-prem public cloud; free services SaaS; public cloud; free services; private cloud managed services; SaaS; private cloud What are the innovation benefits? reduced latency; search sensitive data speed; reduced friction; search sensitive data speed; reduced friction; evolving patterns; community speed; reduced friction; evolving patterns; community speed; reduced friction; indemnification What are the potential risks? SQL Injection; Internal Threats; Mistakes; Phishing; Increased Friction; Slow Latency; SQL Injection; Internal Threats; Mistakes; Phishing; Increased Friction; Slow Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown; Reduced Financial responsibility Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown
  • 13.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Or set up “policies” that look like this… { "Version": "2015-05-09", "Statement": { "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetAccountPasswordPolicy" ], "Resource": "*" } }
  • 14.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org And how do you hunt for security issues in software defined environments?
  • 15.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Can you communicate security complexity using simple processes? 1Discover 2Evaluate 3Control 4Communicate
  • 16.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org More importantly, how do you translate? begin (iam.client.list_role_policies(:role_name => role)[:policy_names] - roledb.list_policies(role)).each do |policy| log.warn("Deleting Policy "#{policy}", which is not part of the approved baseline.") if policydiff("{}", URI.decode(iam.client.get_role_policy( :role_name => role, :policy_name => policy )[:policy_document]), {:argv => ARGV, :diff => options.diff}) end options.dryrun ? nil : iam.client.delete_role_policy( :role_name => role, :policy_name => policy ) end Account Grade: BHeal Account?
  • 17.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Consider the DevSecOps Approach: Incident Drive Development (IDD) • Share your Security Tools within everyone in your organization • Everything is an incident, how you deal with it is a matter of priority and severity • Running campaigns & internal bounty programs, consider giving out t-shirts • Use your security experts as scientists • Keep Investigations separate
  • 18.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Your environment should look something like this… insights security sciencesecurity tools & data AWS accounts S3 Glacier EC2 CloudTrail ingestion threat intel
  • 19.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org And your team will need to operate like this… Central Account (Trusted) Admin IAM IAMIAM IAM IAM IAM BU Accounts (Trusting) SecRole SecRole SecRole SecRole SecRole SecRole IAM How did we decide which roles would be deployed? • Human • IAM Admin • Incident Response • Read Only • Services • IAM Grantor • Instance Roles required to support security services • Read Only
  • 20.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org It’s not easy but it can make a difference… • Security stops being the reason nothing gets done. • Everyone in your organization is responsible for security. • Security can be a differentiator in most organizations and leads to its own innovation discovery
  • 21.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Vendors embracing DevSecOps • AWS • TAP by Mandiant • SumoLogic • Splunk • OpenDNS • Evident.io • AlertLogic • Tanium • Outlier Security • Continuum Security
  • 22.
    Celebrating a decade ofguiding security professionals. @Secure360 or www.Secure360.org Resources • http://www.devsecops.org • @devsecops • LinkedIn Group: DevSecOps • Github: DevSecOps • [email protected]

Editor's Notes

  • #2 Disclaimer: The content in this presentation represents my own views and does not reflect an endorsement by my employer.
  • #15 Attribution: Erik Peterson at RSA 2015
  • #18 Security teams and DevOps must search the same security repositories and build rules to detect anomalies Everything is an incident, how you deal with it is a matter of priority and severity Running campaigns can have a profound impact in reducing attack surface, consider giving out t-shirts Investigation tools and Search history for Investigators are kept separate for disclosure purposes