This document discusses the evolution of DevSecOps and provides guidance for security professionals. It notes that DevSecOps approaches have gained popularity as DevOps has grown over the past decade. It recommends that security professionals focus on detection over protection, embrace a blameless culture of continuous improvement, and get involved in DevSecOps communities to help build security tools and practices.
2. Always an Early Adopter
Google Trends
• DevOps.com was bought in
2004
• Google searches for “DevOps”
started to rise in 2010
• Major influences:
– Saving your Infrastructure from
DevOps / Chicago Tribune
– DevOps: A Culture Shift, Not a
Technology / Information Week
– DevOps: A Sharder’s Tale from
Etsy
– DevOps.com articles
• RuggedSoftware.org was
bought in 2010
https://www.google.com/trends/
5. This is the End of Security as We Know It…
Say what?!??!
6+ years later, it’s hard to believe
we’re still shocked by this quote!
This talk will provide you with a
path forward…
And a survival kit...
-Josh Corman
6. An Ugly Little Secret
• DevOps teams make security
decisions… several times,
everyday!
• Hackers find security issues and
exploit them... several times,
everday!
• Security teams hardly ever make
security decisions... and really only
when risks need to be officially
authorized!
https://www.flickr.com/photos/denise_rowlands
7. In a Deming World…
• Most decisions are made within the
software supply chain by engineering
teams
• Security decisions are usually made as a
result of attempting to balance design
constraints
• Gating processes are not Deming-like; but
it is hard to avoid business catastrophes by
applying measure ahead strategies for
security
• Most security defects are identified during
a major event triggering the equivalent of
a security “recall”
design build deploy operate
How do I
secure my
app?
What
component
is secure
enough?
How do I
secure
secrets for
the app?
Is my app
getting
attacked?
How?
Typical gates for security
checks & balances
Mistakes and drift often happen
after design and build phases
Most costly mistakes
Happen during design
Missing and much-needed feedback loop
8. Hackers have lots of opportunities…
People
• Susceptible to phishing and email scams
• Can be social engineered
Process
• Humans make mistakes, because they are human (6 Sigma)
• Process gaps provide room for fraud
Technology
• Software complexity increases with reusable components
• Technology providers have to do their part, or everyone fails!
9. Get Grounded in Reality
• Secure business is the new black! KTLO!
• Everyone must be responsible for security!
• Perfection is over-rated… Mistakes are
inevitable.
• Reacting can be costly… build security in.
• Compliance is important but it’s not security!
• A blaming culture is dangerous, avoid it!
• Continuously test, detect, measure and
incrementally improve.
10. Keep The Lights On!
• Keeping the Lights on includes
Security…
• 66% of companies adopting
DevOps
• DevOps teams need guardrails
and guidelines to move fast
• Security decisions that haven’t
been made before likely
require escalation
https://www.flickr.com/photos/darwinbell
http://www.rightscale.com/blog/cloud-industry-insights/cloud-
computing-trends-2015-state-cloud-survey
11. Enlist Everyone!
• Common ratio for Dev, Ops
and Sec => 100, 10, 1
• Numbers matter against
attackers!
• Skills help, but anyone can
identify an anomaly.
• Everyone needs to help
with security; everyone has
a role to play. And this is hard to find...
12. Mistakes happen…
• DevOps utilize customer-driven
development processes with
incremental changes…Mistakes
just happen.
• But because of frequent
changes, teams have more
opportunities to correct
defects, on average 30x more
• Teams need help deciphering
how to self-correct
https://www.flickr.com/photos/doobybrain
13. Protection is ideal; Detection is a must!
• The faster a defect is
discovered, the faster it can
be dealt with.
• DevOps has 50% faster MTTR
• Transforming security events
into incidents and problems
helps with resolution rates https://www.flickr.com/photos/daoro
14. Compliance Programs won’t stop a breach
• Point in time assessments
don’t go far enough
• 0 companies (in 10 years)
have been found compliant
after a breach
• Compliance needs to be
paired with rugged security
http://www.slideshare.net/VerizonEnterpriseSolutions/webinar-new-
insights-to-simplify-pci-compliance-and-manage-risk
15. High Performing is where it’s at!
• High performing teams that
focus on a blameless culture
improve on average 50% better
• Blaming cultures create less
engagement, 30% less efficient
• MTTR is 5x faster in blameless
teams that focus on
opportunities first
#1
16. Continuous Improvement
• Continuous improvement has
been a goal for an endless
amount of years
• Teams that focus on testing,
early detection, and measuring
progress have 30% fewer
defects in production
• Tests are often added to
continuous delivery to achieve
better results throughout the
continuous delivery pipeline
https://www.flickr.com/photos/deniscollette
17. Great! What does this look like in practice for a
security professional?
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
20. Get Involved and Join the Community
• devsecops.org
• @devsecops on Twitter
• DevSecOps on LinkedIn
• DevSecOps on Github
• RuggedSoftware.org
• Compliance at Velocity
• Join Us !!!
• Spread the word!!!