The document discusses how security and DevOps can have a better relationship by embedding security earlier in the development process. It suggests that security can speed up DevOps by automating security checks into CI/CD pipelines through automated code reviews, scanning for vulnerabilities, and testing for bugs. This enables developers to release faster with less risk while improving the overall security posture over time. When security is considered from the beginning, it reduces security issues and incidents in production and builds more trust in the products that are developed.
12. @stuhirstinfosec
This sums up what
has been wrong…
Security believes it
has to clean up the
“unicorn shit” from
DevOps.
No wonder our
relationship has
been fraught…
23. @stuhirstinfosec
CI/CD & Code
• We don’t need you to code more
securely, we should prevent it anyway
• Automated code review
• Code scanning (SAST/DAST)
• OWASP Top 10
• Behaviour-driven (BDD)
24. @stuhirstinfosec
CI/CD & Code
• Release faster with less risk (yay!)
• Fewer bugs to fix
• Leverage open-source
• Remediate vulnerabilities at scale
25. @stuhirstinfosec
Bugs
• Are Security bugs any different to
functional bugs?!
• Finding sec bugs will improve overall
posture & introduce best practice over
time
26. @stuhirstinfosec
Bugs - how do we find them?
• Bug Bounty / Crowdsourced testing
• ‘Hack Yourself First’/Red Teaming
• Scanners - e.g. OWASP ZAP
• Pen Tests
29. @stuhirstinfosec
Automating Security into Cloud
Infrastructure pipelines can;
• Make public buckets impossible
• Force encryption at rest/in transit
• Establish key management and rotation
• Help with cost control (yes, really!)
32. @stuhirstinfosec
Data
• We help make it available by reducing
Denial Of Service attacks
• Preserve integrity so data can’t be
altered
• Ensure confidentiality
41. @stuhirstinfosec
Reducing Risk &
Incidents
• Boards LOVE risk reduction!
• Fewer incidents = more time doing cool
shit
• Less time dealing with 9pm Friday
nonsense = more beer time