Finding Security a Home in a DevOps World

@devsecops

http://devsecops.org

Who I am

• 25+ yrs Technology & Security

• Background in Security R&D

• Working with the Cloud before it was called “The Cloud”

• Manage my teams using DevOps & Scrum

• Big Scale IR & Crisis Management

-- FOUNDER --

Why I‘m @ DevOps Summit

• Awesome Venue to talk to like-minded individuals

• Increase viability through collaboration

• Customer Research & Feedback

• Because DevOps Summit Rocks!!

How can Security enable a DevOps World?

Here’s how to listen if you are a…

Your Role Your Interest

DevOps Less Friction, Faster Decisions

Security Value Creation

Management Faster Delivery of Customer Features with Better Security

Are you tired of the Traditional Security grind? Is Security preventing your DevOps success?

• Double-click installer

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

• Click "Next"

Page 3 of 267

Security Configuration Procedures V 3.6.0.1.1, January 2011

Frozen in Time

Is bureaucracy getting in the way of Continuous Deployments and Real Security?

Why does it take so long for features?

?

YOU YOUR CUSTOMER

CISO

Hopefully it’s not going to be

another round of “No’s”…

Does it feel like a Waste of Time?

!

Making you feel like this….

Bang Head Here

Because you want to fulfill on these promises….

KEEP CUSTOMER DATA SAFE!!! JOB #1

=

SOLVE CUSTOMER PROBLEMS!!! JOB #2

=

BUT what if you could make good security decisions with guidelines like these?

On-Prem Partial On-Prem Outsource w/ No Indemnif.

Outsource w/ Part.Indemnif.

Outsource w/ Full Indemnif.

Who is responsible? IN

TER

NA

L You You You You + Partner Partner

PAR

TNER

S

Which minimal controls are needed?

Physical Security; Secure Handling &

Disposal

File or Object Encryption for Sensitive Data;

Physical Security; Secure Handling &

Disposal

File or Object Encryption for Sensitive Data;

Partner Security; SOC Attestation

File or Object Encryption for Sensitive Data;

Partner Security; SOC Attestation

Partner Security Controls; SOC

Attestation

Where does data transit and get stored?

company “owned” data center or co-

location

any compute & transit; data stored

on-prem

public cloud; free services

SaaS; public cloud; free services; private cloud

managed services; SaaS; private cloud

What are the innovation benefits?

reduced latency; search sensitive

data

speed; reduced friction; search sensitive data

speed; reduced friction; evolving

patterns; community

speed; reduced friction; evolving

patterns; community

speed; reduced friction;

indemnification

What are the potential risks?

SQL Injection; Internal Threats;

Mistakes; Phishing; Increased Friction;

Slow

Latency; SQL Injection; Internal Threats; Mistakes; Phishing; Increased

Friction; Slow

Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes;

Phishing; Govt. Requests Unknown; Reduced Financial

responsibility

Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes;

Phishing; Govt. Requests Unknown

Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes;

Phishing; Govt. Requests Unknown

Because your Security Team does this:

DevSecOps

Security Engineering

Experiment, Automate, Test

Security Operations

Hunt, Detect, Contain

Compliance Operations

Respond, Manage, Train

Security Science

Learn, Measure, Forecast

And this…

Pull Push

Source Code

Repository

Baseline

IAM Catalog

Trusting BU Accounts

SecRole

IAM Role

Develop Review Test Approve Commit

Ruby

AKID/SAK

1 2

Admin

3

5

STS

Creds

4

Using these tools…

insights

security science

security tools & data

AWS accounts

S3

Glacier

EC2

CloudTrail

ingestion

threat intel

And these…

Central Account (Trusted)

Admin

IAM IAM IAM IAM IAM IAM

SecRole SecRole SecRole SecRole SecRole SecRole

IAM

How did we decide which roles would be deployed? • Human

• IAM Admin • Incident Response • Read Only

• Services • IAM Grantor • Instance Roles required to support security

services • Read Only

And these…

$ bundle exec bin/tk help config Usage: tk config Options: -i, [--interactive], [--no-interactive] # interactive mode for q&a to set up config -p, [--profile-name=PROFILE_NAME] # profile name in .aws config file -r, [--master-region=MASTER_REGION] # region for master account # Default: us-west-2 -a, [--master-account=MASTER_ACCOUNT] # 12 digit AWS account number without dashes -n, [--master-role-name=MASTER_ROLE_NAME] # name of master role to assume cross-account roles # Default: master-auditor -t, [--target-account-list=TARGET_ACCOUNT_LIST] # location for csv file containing accounts list to audit # Default: config/accounts.csv -d, [--output-dir=OUTPUT_DIR] # directory for storing results # Default: home -f, [--output-type=OUTPUT_TYPE] # supports csv # Default: csv Description: Using the devsecops toolkit requires a master configuration file to establish the credentials, role, MFA, etc. used to support cross-account usage. This command provides you with an interactive and advanced interface for creating a configuration file to support your usage. The configuration file can be found in your home directory under .tk/config and you can also hand edit this file using yaml.

Experimenting like this:

Security as Code?

Experiment: Automate

Policy Governance

Security Operations?

Experiment: Detection

via Security Operations

Experiment: Compliance

via DevSecOps

toolkit

Experiment: Science via

Profiling

DevOps + Security

DevOps + DevSecOps

Compliance Operations?

Science?

Start Here?

So that Security can be simple like this…

And you can improve the security of your app via Self-Service….

And you can collaborate like this…

So that you and your customers can feel like this…

With monitoring like this…

So you and your customers can sleep like this…

Z Z

Z

What if Security were MORE than just friction?

What if our experimentation helped us determine that we might have fewer of these…

STOP THE DATA BREACHES!!!

If we did more of this…

RED TEAM HACK DAYS

INCIDENT DRIVEN DEVELOPMENT METRICS

LEAN

EXPERIMENTS

DEVOPS

And less of this… Because it doesn’t work…

• Manual Reviews

• Paper Threat Modeling

• Gating Processes

• Approvals & Exceptions

• Reactive Incident Response

• Theoretical Evaluations

• F.U.D.

What would you do with all your free time?

Isn’t it time for you to demand a better world for DevOps?

Join the Community:

@devsecops

http://devsecops.org

LinkedIn: DevSecOps