#RSAC
SESSION ID:
David Mortman Joshua Corman
Continuous Security: 5 Ways
DevOps Improves Security
ASD-T07R
CTO
Sonatype
@...
#RSAC
@mortman
@joshcorman
2	
  
10/23/2013	
   	
  @joshcorman	
  
“It’s	
  not	
  enough	
  to	
  do	
  your	
  best;	
 ...
#RSAC
@mortman
@joshcormanON	
  TIME	
  	
   ON	
  BUDGET	
  
ACCEPTABLE	
  
QUALITY/RISK	
  
Dev’s	
  core	
  moJvaJons	
...
#RSAC
@mortman
@joshcorman
4
#RSAC
@mortman
@joshcorman
5
“Don’t	
  Go	
  Chasin’	
  Waterfalls”	
  Dev	
  started	
  w/	
  Waterfall,	
  but	
  modern...
#RSAC
@mortman
@joshcorman
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrupFons.	
  
More	
  innovaFon.	
  ...
#RSAC
@mortman
@joshcorman
Agile	
  goats;	
  not	
  goat	
  rodeo.	
  “We	
  need	
  to	
  be	
  agile,	
  but	
  not	
  ...
#RSAC
@mortman
@joshcorman
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrupFons.	
  
More	
  innovaFon.	
  ...
#RSAC
@mortman
@joshcormanDevOps
It	
  may	
  feel	
  like	
  DevOps	
  is	
  Pandora’s	
  Box,	
  but	
  it’s	
  open…	
 ...
#RSAC
@mortman
@joshcorman
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrupFons.	
  
More	
  innovaFon.	
  ...
#RSAC
@mortman
@joshcormanSW Supply Chains
11
Deming	
  drove	
  Toyota	
  Supply	
  Chains.	
  We	
  can	
  EXTEND	
  Dev...
#RSAC
@mortman
@joshcorman
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrupFons.	
  
More	
  innovaFon.	
  ...
#RSAC
@mortman
@joshcormanSW Supply Chains
Our	
  SW	
  Supply	
  Chain	
  is	
  only	
  as	
  strong	
  as	
  its	
  weak...
#RSAC
@mortman
@joshcorman
Toyota	
  
Advantage	
  
Toyota	
  
Prius	
  
Chevy	
  
Volt	
  
Unit	
  Cost	
   61%	
   $24,2...
#RSAC
@mortman
@joshcormanDevOps Defined
Is	
  #DevOps	
  a	
  Culture?	
  A	
  Process?	
  A	
  Toochain?	
  YES;	
  but	...
#RSAC
@mortman
@joshcorman
Myths	
  abound	
  RE:	
  Security	
  &	
  #DevOps.	
  We	
  FUD-­‐Haters	
  should	
  deal	
  ...
#RSAC
@mortman
@joshcorman
RE:	
  #DevOps	
  &	
  Security:	
  You’re	
  enJtled	
  to	
  your	
  own	
  opinions,	
  but	...
#RSAC
@mortman
@joshcorman
MythBusted:	
  “ITIL	
  &	
  ChangeMngt	
  can’t	
  be	
  done	
  w/	
  #DevOps	
  ”	
  <-­‐	
 ...
#RSAC
@mortman
@joshcorman
True	
  #DevOps	
  +	
  Security	
  isn’t	
  all	
  rainbows	
  &	
  unicorns.	
  Unicorn	
  p0...
#RSAC
@mortman
@joshcorman
spending	
   a`ack	
  risk	
  
Source:	
  Normalized	
  CObIT	
  spending	
  across	
  IDC,	
  ...
#RSAC
@mortman
@joshcormanInsanity
Einstein's	
  Insanity:	
  We	
  could	
  do	
  the	
  same	
  thing	
  over	
  &	
  ov...
#RSAC
@mortman
@joshcorman
WRT	
  Security	
  &	
  #DevOps	
  We	
  lose	
  things	
  AND	
  we	
  gain	
  things.	
  We’l...
#RSAC
@mortman
@joshcorman
This	
  was	
  added	
  b/c	
  the	
  Red	
  Hat	
  in	
  the	
  “Lost	
  &	
  Found”	
  made	
...
#RSAC
@mortman
@joshcorman1) Instrumentation
1)	
  InstrumentaJon!	
  #DevOps	
  instruments	
  EVERYTHING	
  &	
  Securit...
#RSAC
@mortman
@joshcorman2) Be Mean To Your Code!
2)	
  Be	
  Mean	
  To	
  Your	
  Code!	
  To	
  avoid	
  failure;	
  f...
#RSAC
@mortman
@joshcorman
3)	
  Complexity	
  Is	
  Enemy	
  of	
  “All	
  The	
  Things”!	
  All	
  #DevOps	
  parJes	
 ...
#RSAC
@mortman
@joshcorman
DecomposiJon	
  lowers	
  complexity	
  adds	
  security	
  and	
  reliability	
  @mortman	
  
...
#RSAC
@mortman
@joshcorman
Simple	
  >	
  Complex.	
  Simple	
  !=	
  Easy	
  though.	
  There	
  is	
  no	
  easy	
  bu`o...
#RSAC
@mortman
@joshcorman
4)	
  Implicit	
  and	
  Explicit	
  Change	
  Management.	
  Change	
  is	
  good	
  and	
  le...
#RSAC
@mortman
@joshcorman
All	
  of	
  Chuck	
  Norris’s	
  Change	
  Controls	
  are	
  Full	
  Cycle	
  and	
  they’re	...
#RSAC
@mortman
@joshcorman
5)	
  Empathy	
  is	
  the	
  killer	
  app!	
  Silos	
  prohibit	
  sharing	
  and	
  empathy…...
#RSAC
@mortman
@joshcorman
Madame	
  CISO,	
  Tear	
  Down	
  This	
  Wall!	
  #RSAC	
  #DevOps	
  @mortman	
  @joshcorman...
#RSAC
@mortman
@joshcorman
Defensible	
  Infrastructure	
  
10%	
  	
  
Wri`en	
  
OperaFonal	
  Excellence	
  
SituaFonal...
#RSAC
@mortman
@joshcorman
34
10/23/2013	
  
	
  @joshcorman	
  
Defensible	
  Infrastructure	
  
OperaFonal	
  Excellence...
#RSAC
@mortman
@joshcormanApply!
u  Stop resisting… “Survival isn’t mandatory” – Deming
u  Josh’s RSAC EU Keynote http:/...
#RSAC
Conclusion/Wrap-Up
Follow	
  Us	
  &	
  Rugged	
  #DevOps	
  at:	
  	
  
@mortman	
  @joshcorman	
  @RuggedSoWware	
...
Prochain SlideShare
Chargement dans…5
×

Continuous Security: 5 Ways DevOps Improves Security

896 vues

Publié le

David Mortman, Chief Security Architect & Distinguished Engineer, Dell Software

Josh Corman, CTO, Sonatype

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Continuous Security: 5 Ways DevOps Improves Security

  1. 1. #RSAC SESSION ID: David Mortman Joshua Corman Continuous Security: 5 Ways DevOps Improves Security ASD-T07R CTO Sonatype @joshcorman Chief Security Architect & Distinguished Engineer Dell Software @mortman
  2. 2. #RSAC @mortman @joshcorman 2   10/23/2013    @joshcorman   “It’s  not  enough  to  do  your  best;  you  must  know  what  to  do,  and  then  do  your   best”  Deming  @joshcorman  @mortman  #RSAC  #DevOps  
  3. 3. #RSAC @mortman @joshcormanON  TIME     ON  BUDGET   ACCEPTABLE   QUALITY/RISK   Dev’s  core  moJvaJons  are  to  be  OnTime,  OnBudget,  w/  Acceptable  Quality/Risk   @joshcorman  @mortman  #RSAC  #DevOps  
  4. 4. #RSAC @mortman @joshcorman 4
  5. 5. #RSAC @mortman @joshcorman 5 “Don’t  Go  Chasin’  Waterfalls”  Dev  started  w/  Waterfall,  but  modern  demands   require  us  to  go  faster  @joshcorman  @mortman  #RSAC  #DevOps  
  6. 6. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   Waterfall’s  Design  -­‐>  Dev  -­‐>  Test  -­‐>  Deploy  may  go  1.5-­‐3yrs  b/w  releases.   @joshcorman  @mortman  #RSAC  #DevOps  
  7. 7. #RSAC @mortman @joshcorman Agile  goats;  not  goat  rodeo.  “We  need  to  be  agile,  but  not  fragile.”   @RuggedSoWware  @joshcorman  @mortman  #RSAC  #DevOps  
  8. 8. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   Agile  /  CI   Agile  &  Lean  Jghtened  Design  -­‐>  Build  -­‐>  Test  cycle  releasing  6-­‐12+  smaller   batches/yr  @joshcorman  @mortman  #RSAC  #DevOps    
  9. 9. #RSAC @mortman @joshcormanDevOps It  may  feel  like  DevOps  is  Pandora’s  Box,  but  it’s  open…  and  hope  remains.  ;)   @joshcorman  @mortman  #RSAC  #DevOps  
  10. 10. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   DevOps  /  CD   Agile  /  CI   Agile  made  dev  faster  but  wasn’t  enough.  DevOps  extends  pa`erns  to  Ops  4  mutual   gains  @joshcorman  @mortman  #RSAC  #DevOps  
  11. 11. #RSAC @mortman @joshcormanSW Supply Chains 11 Deming  drove  Toyota  Supply  Chains.  We  can  EXTEND  DevOps  w/  his  quality/safety   pa`erns  @joshcorman  @mortman  #RSAC  #DevOps  
  12. 12. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   SW  Supply  Chain   DevOps  /  CD   Agile  /  CI   SW  SupplyChains  enable  faster,  more  efficient  dev  by  reducing  elecJve  complexity/ risk++  @joshcorman  @mortman  #RSAC  #DevOps  
  13. 13. #RSAC @mortman @joshcormanSW Supply Chains Our  SW  Supply  Chain  is  only  as  strong  as  its  weakest  link.  Can  you  say  #OpenSSL?   @joshcorman  @mortman  #RSAC  #DevOps  
  14. 14. #RSAC @mortman @joshcorman Toyota   Advantage   Toyota   Prius   Chevy   Volt   Unit  Cost   61%   $24,200   $39,900   Units  Sold   13x   23,294   1,788   In-­‐House   ProducJon   50%   27%   54%   Plant  Suppliers   16%     (10x  per)   125   800   Firm-­‐Wide   Suppliers   4%   224   5,500   Comparing the Prius and the Volt Toyota  Prius  (v  Volt)  used  1/6th  suppliers,  be`er  leveraged,  for  60%  price  &  12x   sales  @joshcorman  @mortman  #RSAC  #DevOps  
  15. 15. #RSAC @mortman @joshcormanDevOps Defined Is  #DevOps  a  Culture?  A  Process?  A  Toochain?  YES;  but  the  greatest  of  these  is   Culture/Empathy  @joshcorman  @mortman  #RSAC    
  16. 16. #RSAC @mortman @joshcorman Myths  abound  RE:  Security  &  #DevOps.  We  FUD-­‐Haters  should  deal  w/  facts   @joshcorman  @mortman  #RSAC    
  17. 17. #RSAC @mortman @joshcorman RE:  #DevOps  &  Security:  You’re  enJtled  to  your  own  opinions,  but  not  to  your  own   facts.  @joshcorman  @mortman  #RSAC    
  18. 18. #RSAC @mortman @joshcorman MythBusted:  “ITIL  &  ChangeMngt  can’t  be  done  w/  #DevOps  ”  <-­‐  It  can  even  make   it  easier/be`er  @joshcorman  @mortman  #RSAC  
  19. 19. #RSAC @mortman @joshcorman True  #DevOps  +  Security  isn’t  all  rainbows  &  unicorns.  Unicorn  p00p  has  to  be   worked  thru  @joshcorman  @mortman  #RSAC    
  20. 20. #RSAC @mortman @joshcorman spending   a`ack  risk   Source:  Normalized  CObIT  spending  across  IDC,  Gartner,  The  451  Group;  since  groupings  vary   Host  Security    ~$10B   Data  Security    ~$5B   People  Security    ~$4B   Network  Security    ~$20B   SoWware   Security   ~$0.5B     Assembled  3rd  Party  &   OpenSource   Components     ~90%  of  most   applicaJons     Almost  No  Spending   Wri`en  Code  Scanning   SW Status Quo: Most attacked; least spend Worse,  w/in  SoWware,  exisJng  dollars  go  to  the  <=  10%  wri`en       StatusQuo:  SW  is  MOST  a`acked  &  gets  LEAST  SecSpend;  most  on  10%  of  code  we   write  @joshcorman  @mortman  #RSAC  #DevOps  
  21. 21. #RSAC @mortman @joshcormanInsanity Einstein's  Insanity:  We  could  do  the  same  thing  over  &  over  expecJng  different   results  @joshcorman  @mortman  #RSAC  #DevOps  
  22. 22. #RSAC @mortman @joshcorman WRT  Security  &  #DevOps  We  lose  things  AND  we  gain  things.  We’ll  look  at  5  things   we  gain  @joshcorman  @mortman  #RSAC  #DevOps  
  23. 23. #RSAC @mortman @joshcorman This  was  added  b/c  the  Red  Hat  in  the  “Lost  &  Found”  made  @mortman  giggle  &  he   forced  it  upon  @joshcorman  #RSAC  #DevOps  
  24. 24. #RSAC @mortman @joshcorman1) Instrumentation 1)  InstrumentaJon!  #DevOps  instruments  EVERYTHING  &  Security  can  use  it  in   MANY  ways  @joshcorman  @mortman  #RSAC  #DevOps  
  25. 25. #RSAC @mortman @joshcorman2) Be Mean To Your Code! 2)  Be  Mean  To  Your  Code!  To  avoid  failure;  fail  all  the  Jme  #ChaosMonkey  #Gauntlt   #BrakeMan  @joshcorman  @mortman  #RSAC  #DevOps  
  26. 26. #RSAC @mortman @joshcorman 3)  Complexity  Is  Enemy  of  “All  The  Things”!  All  #DevOps  parJes  benefit  from   reducing  complexity  @joshcorman  @mortman  #RSAC  
  27. 27. #RSAC @mortman @joshcorman DecomposiJon  lowers  complexity  adds  security  and  reliability  @mortman   @joshcorman  #RSAC  #DevOps  
  28. 28. #RSAC @mortman @joshcorman Simple  >  Complex.  Simple  !=  Easy  though.  There  is  no  easy  bu`on,  but  there  is  an   easiER  one.  @joshcorman  @mortman  #RSAC  #DevOps  
  29. 29. #RSAC @mortman @joshcorman 4)  Implicit  and  Explicit  Change  Management.  Change  is  good  and  leads  to  stability   and  fights  stagnaJon.  @joshcorman  @mortman  #rsac  #devops  
  30. 30. #RSAC @mortman @joshcorman All  of  Chuck  Norris’s  Change  Controls  are  Full  Cycle  and  they’re  always  approved!   @joshcorman  @mortman  #RSAC  #DevOps  
  31. 31. #RSAC @mortman @joshcorman 5)  Empathy  is  the  killer  app!  Silos  prohibit  sharing  and  empathy….  #RSAC  #DevOps   @mortman  @joshcorman  
  32. 32. #RSAC @mortman @joshcorman Madame  CISO,  Tear  Down  This  Wall!  #RSAC  #DevOps  @mortman  @joshcorman  
  33. 33. #RSAC @mortman @joshcorman Defensible  Infrastructure   10%     Wri`en   OperaFonal  Excellence   SituaFonal  Awareness   Counter-­‐ measures   The  soWware  &  hardware  we   build,  buy,  and  deploy.  90%  of   soWware  is  assembled  from  3rd   party  &  Open  Source     MOST  IMPACT:  BUY/BUILD  DEFENSIBLE  SOFTWARE   DefensibleIT  &  OpsExcellence  have  MOST  Security  impact,  but  elude  CISO  influence   BUT...  @joshcorman  @mortman  #RSAC  #DevOps  
  34. 34. #RSAC @mortman @joshcorman 34 10/23/2013    @joshcorman   Defensible  Infrastructure   OperaFonal  Excellence   SituaFonal  Awareness   Counter-­‐ measures   DevOps   DevOps   DevOps   [cont]  #DevOps  smashes  silos  &  finally  enables  the  MUCH  LARGER  Security  gains  in   both  @joshcorman  @mortman  #RSAC  #DevOps    
  35. 35. #RSAC @mortman @joshcormanApply! u  Stop resisting… “Survival isn’t mandatory” – Deming u  Josh’s RSAC EU Keynote http://youtu.be/m4Y_K7MXQxQ u  Read “The Phoenix Project” by Gene Kim u  http://itrevolution.com/books/phoenix-project-devops-book/ u  Watch videos from RSAC “DevOps Connect” Rugged DevOps Day u  http://www.sonatype.org/nexus/2015/04/13/devops-connect-secops-editon-at- rsac-2015-speakers-and-schedule/ u  Grab tooling: u  Gauntlt, BrakeMan, Chaos Monkey, and the Simian Army u  Start small, start anywhere, start TODAY! Get  on  the  train  before  the  train  gets  on  you!  Don’t  delay,  start  today!   @joshcorman  @mortman  #RSAC  #DevOps  
  36. 36. #RSAC Conclusion/Wrap-Up Follow  Us  &  Rugged  #DevOps  at:     @mortman  @joshcorman  @RuggedSoWware  @RuggedDevOps  @iamthecavalry    

×