Hi DevOps, I'm Security, I Love You

•Télécharger en tant que PPTX, PDF•

3 j'aime•1,020 vues

The document discusses how security and DevOps can have a better relationship by embedding security earlier in the development process. It suggests that security can speed up DevOps by automating security checks into CI/CD pipelines through automated code reviews, scanning for vulnerabilities, and testing for bugs. This enables developers to release faster with less risk while improving the overall security posture over time. When security is considered from the beginning, it reduces security issues and incidents in production and builds more trust in the products that are developed.

Technologie

Hi DevOps, I’m Security, I
Love You
@stuhirstinfosec

Disclaimers;
I like memes & gifs.
I’m not an ‘expert’ or a
‘thought leader’, but I’ve
learned some stuff along the
way.
@stuhirstinfosec

@stuhirstinfosec
So what’s wrong
and how can we
make it better?

@stuhirstinfosec
We’ve perpetuated a
myth that DevOps cause
us pain

@stuhirstinfosec
This sums up what
has been wrong…
Security believes it
has to clean up the
“unicorn shit” from
DevOps.
No wonder our
relationship has
been fraught…

@stuhirstinfosec
Here, have a
Jira ticket.
You’re
welcome.

@stuhirstinfosec
SHIFTING LEFT!
(IMBEDDING SECURITY AS
EARLY AS WE CAN)

@stuhirstinfosec
Security
SPEEDS UP
DEVOPS!!!

@stuhirstinfosec
HEAR ME OUT!
I’ll explain how….

@stuhirstinfosec
CI/CD & Code
• We don’t need you to code more
securely, we should prevent it anyway
• Automated code review
• Code scanning (SAST/DAST)
• OWASP Top 10
• Behaviour-driven (BDD)

@stuhirstinfosec
CI/CD & Code
• Release faster with less risk (yay!)
• Fewer bugs to fix
• Leverage open-source
• Remediate vulnerabilities at scale

@stuhirstinfosec
Bugs
• Are Security bugs any different to
functional bugs?!
• Finding sec bugs will improve overall
posture & introduce best practice over
time

@stuhirstinfosec
Bugs - how do we find them?
• Bug Bounty / Crowdsourced testing
• ‘Hack Yourself First’/Red Teaming
• Scanners - e.g. OWASP ZAP
• Pen Tests

@stuhirstinfosec
Automating Security into Cloud
Infrastructure pipelines can;
• Make public buckets impossible
• Force encryption at rest/in transit
• Establish key management and rotation
• Help with cost control (yes, really!)

@stuhirstinfosec
Data
• We help make it available by reducing
Denial Of Service attacks
• Preserve integrity so data can’t be
altered
• Ensure confidentiality

@stuhirstinfosec
Keys & Secrets
North Carolina State University examined
accidental leakage of authentication
secrets to GitHub…..

@stuhirstinfosec
Keys & Secrets
1. Secrets in over 100,000
repositories
2. Over 1000 committed
daily

@stuhirstinfosec
Keys & Secrets
• Git-Secrets
• Hashicorp Vault
• https://github.com/dxa4481/truffleHog
(search for high-entropy strings)

@stuhirstinfosec
Threat Modelling
• What are we working on?
• What can go wrong?
• What are we going to do about it?
• Did we do a good job?

@stuhirstinfosec
Threat Modelling -
benefits
• Reduce attack surface
• Reduce vulnerabilities in Production
• Increase collaboration
• Architect better product!

@stuhirstinfosec
Reducing Risk &
Incidents
• Boards LOVE risk reduction!
• Fewer incidents = more time doing cool
shit
• Less time dealing with 9pm Friday
nonsense = more beer time

@stuhirstinfosec
WE MUST EXPECT
SECURITY
INCIDENTS TO
HAPPEN!

@stuhirstinfosec
Scalability
• Helps businesses grow quickly with less
friction
• Reduces the need for growing Security
teams
• Brings accountability into DevOps

@stuhirstinfosec
Compliance &
Regulation

@stuhirstinfosec
How Can
DevOps Help
Security?

@stuhirstinfosec
Better Security
increases TRUST
in the products we
build

Recommandé

Stu Hirst - 10 Years To CisoStu Hirst

โครงงานวิชาคอมพิวเตอร์Pahtamaporn Keawsiri

War Stories - From The Front Lines Of InfoSec!Stu Hirst

Stu Hirst - Thinking Out cLoud July 2019Stu Hirst

Reanimating DevOps to Build Things that WorkDevOpsDays Baltimore

Why Do Hackers Hack?Sucuri

I Don't Care About Security (And Neither Should You)Joel Lord

Recommandé

Stu Hirst - 10 Years To CisoStu Hirst

โครงงานวิชาคอมพิวเตอร์Pahtamaporn Keawsiri

War Stories - From The Front Lines Of InfoSec!Stu Hirst

Stu Hirst - Thinking Out cLoud July 2019Stu Hirst

Reanimating DevOps to Build Things that WorkDevOpsDays Baltimore

Why Do Hackers Hack?Sucuri

I Don't Care About Security (And Neither Should You)Joel Lord

DevSecOps - a 2 year journey of success & failure!Stu Hirst

Grow Your Technical Confidence (Ministry of Testing Masterclass 2023)Lisi Hocke

Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates

Purple teaming Cyber Kill ChainHaydn Johnson

An Imposter's Journey Into InfoSecStu Hirst

TConf 2017 - Testers in a Startup. Really?Melissa Ngau

If i wake evil 360John Strand

MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto

How To Come Up With Content Marketing TopicsDaniel Oyston

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecSonatype

DevOpsDays Houston 2019 -Kevin Crawley - Practical Guide to Not Building Anot...DevOpsDays Houston

Stu Hirst "Thinking Out cLoud" 2019Stu Hirst

(ISC)2 Security Congress EMEA. You are being watched.Internet Security Auditors

'Ignite: For Good' presentation 11: Wearable Tech: a help or a hindrance?, Ch...mysociety

Your users are humans and let's live our promise of securing themSanthosh Tuppad

Search Engine Hacking - CarolinaCon 9 (Stephen Chapman)Stephen Chapman

Connecting to the pulse of the planet with Twitter APIsAndy Piper

Cryptography 101 (with math)jessepollak

Password Storage Sucks!nerdybeardo

One Time Pad JournalAmirul Wiramuda

Stu Hirst - Imposter Syndrome 2024 - Presented at Cloud Expo Europe (Cyber Ke...Stu Hirst

AWS Meet Up COPENHAGEN.pptxStu Hirst

Contenu connexe

Similaire à Hi DevOps, I'm Security, I Love You

DevSecOps - a 2 year journey of success & failure!Stu Hirst

Grow Your Technical Confidence (Ministry of Testing Masterclass 2023)Lisi Hocke

Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates

Purple teaming Cyber Kill ChainHaydn Johnson

An Imposter's Journey Into InfoSecStu Hirst

TConf 2017 - Testers in a Startup. Really?Melissa Ngau

If i wake evil 360John Strand

MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto

How To Come Up With Content Marketing TopicsDaniel Oyston

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecSonatype

DevOpsDays Houston 2019 -Kevin Crawley - Practical Guide to Not Building Anot...DevOpsDays Houston

Stu Hirst "Thinking Out cLoud" 2019Stu Hirst

(ISC)2 Security Congress EMEA. You are being watched.Internet Security Auditors

'Ignite: For Good' presentation 11: Wearable Tech: a help or a hindrance?, Ch...mysociety

Your users are humans and let's live our promise of securing themSanthosh Tuppad

Search Engine Hacking - CarolinaCon 9 (Stephen Chapman)Stephen Chapman

Connecting to the pulse of the planet with Twitter APIsAndy Piper

Cryptography 101 (with math)jessepollak

Password Storage Sucks!nerdybeardo

One Time Pad JournalAmirul Wiramuda

Similaire à Hi DevOps, I'm Security, I Love You (20)

DevSecOps - a 2 year journey of success & failure!

Grow Your Technical Confidence (Ministry of Testing Masterclass 2023)

Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...

Purple teaming Cyber Kill Chain

An Imposter's Journey Into InfoSec

TConf 2017 - Testers in a Startup. Really?

If i wake evil 360

MacIT 2014 - Essential Security & Risk Fundamentals

How To Come Up With Content Marketing Topics

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec

DevOpsDays Houston 2019 -Kevin Crawley - Practical Guide to Not Building Anot...

Stu Hirst "Thinking Out cLoud" 2019

(ISC)2 Security Congress EMEA. You are being watched.

'Ignite: For Good' presentation 11: Wearable Tech: a help or a hindrance?, Ch...

Your users are humans and let's live our promise of securing them

Search Engine Hacking - CarolinaCon 9 (Stephen Chapman)

Connecting to the pulse of the planet with Twitter APIs

Cryptography 101 (with math)

Password Storage Sucks!

One Time Pad Journal

Plus de Stu Hirst

Stu Hirst - Imposter Syndrome 2024 - Presented at Cloud Expo Europe (Cyber Ke...Stu Hirst

AWS Meet Up COPENHAGEN.pptxStu Hirst

Stu Hirst - Thinking Out cLoud 2020Stu Hirst

An Imposter's Journey Into InfoSecStu Hirst

Turing's Testers - Security Scotland May 2018Stu Hirst

Building a Security culture at Skyscanner 2016Stu Hirst

Plus de Stu Hirst (6)

Stu Hirst - Imposter Syndrome 2024 - Presented at Cloud Expo Europe (Cyber Ke...

AWS Meet Up COPENHAGEN.pptx

Stu Hirst - Thinking Out cLoud 2020

An Imposter's Journey Into InfoSec

Turing's Testers - Security Scotland May 2018

Building a Security culture at Skyscanner 2016

Dernier

GenAI Risks & Security Meetup 01052024.pdflior mazor

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays

presentation ICT roal in 21st century educationjfdjdjcjdnsjd

Artificial Intelligence: Facts and MythsJoaquim Jorge

Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous

2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong

Real Time Object Detection Using Open CVKhem

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer

Tech Trends Report 2024 Future Today Institute.pdfhans926745

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung

Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo

AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin

Apidays New York 2024 - The value of a flexible API Management solution for O...apidays

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93

From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software

Dernier (20)

GenAI Risks & Security Meetup 01052024.pdf

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

presentation ICT roal in 21st century education

Artificial Intelligence: Facts and Myths

Driving Behavioral Change for Information Management through Data-Driven Gree...

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Real Time Object Detection Using Open CV

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Tech Trends Report 2024 Future Today Institute.pdf

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

AWS Community Day CPH - Three problems of Terraform

Apidays New York 2024 - The value of a flexible API Management solution for O...

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Hi DevOps, I'm Security, I Love You

1. Hi DevOps, I’m Security, I Love You @stuhirstinfosec

2. Disclaimers; I like memes & gifs. I’m not an ‘expert’ or a ‘thought leader’, but I’ve learned some stuff along the way. @stuhirstinfosec

3. Who Am I? @stuhirstinfosec

4. @stuhirstinfosec

5. @stuhirstinfosec

6. @stuhirstinfosec So what’s wrong and how can we make it better?

11. @stuhirstinfosec We’ve perpetuated a myth that DevOps cause us pain

12. @stuhirstinfosec This sums up what has been wrong… Security believes it has to clean up the “unicorn shit” from DevOps. No wonder our relationship has been fraught…

13. @stuhirstinfosec Here, have a Jira ticket. You’re welcome.

18. @stuhirstinfosec SHIFTING LEFT! (IMBEDDING SECURITY AS EARLY AS WE CAN)

19. @stuhirstinfosec

20. @stuhirstinfosec Security SPEEDS UP DEVOPS!!!

21. @stuhirstinfosec

22. @stuhirstinfosec HEAR ME OUT! I’ll explain how….

23. @stuhirstinfosec CI/CD & Code • We don’t need you to code more securely, we should prevent it anyway • Automated code review • Code scanning (SAST/DAST) • OWASP Top 10 • Behaviour-driven (BDD)

24. @stuhirstinfosec CI/CD & Code • Release faster with less risk (yay!) • Fewer bugs to fix • Leverage open-source • Remediate vulnerabilities at scale

25. @stuhirstinfosec Bugs • Are Security bugs any different to functional bugs?! • Finding sec bugs will improve overall posture & introduce best practice over time

26. @stuhirstinfosec Bugs - how do we find them? • Bug Bounty / Crowdsourced testing • ‘Hack Yourself First’/Red Teaming • Scanners - e.g. OWASP ZAP • Pen Tests

27. @stuhirstinfosec

28. @stuhirstinfosec Cloud

29. @stuhirstinfosec Automating Security into Cloud Infrastructure pipelines can; • Make public buckets impossible • Force encryption at rest/in transit • Establish key management and rotation • Help with cost control (yes, really!)

30. @stuhirstinfosec

31. @stuhirstinfosec

32. @stuhirstinfosec Data • We help make it available by reducing Denial Of Service attacks • Preserve integrity so data can’t be altered • Ensure confidentiality

33. @stuhirstinfosec

34. @stuhirstinfosec Keys & Secrets North Carolina State University examined accidental leakage of authentication secrets to GitHub…..

35. @stuhirstinfosec Keys & Secrets 1. Secrets in over 100,000 repositories 2. Over 1000 committed daily

36. @stuhirstinfosec Keys & Secrets • Git-Secrets • Hashicorp Vault • https://github.com/dxa4481/truffleHog (search for high-entropy strings)

37. @stuhirstinfosec

38. @stuhirstinfosec Threat Modelling • What are we working on? • What can go wrong? • What are we going to do about it? • Did we do a good job?

39.

40. @stuhirstinfosec Threat Modelling - benefits • Reduce attack surface • Reduce vulnerabilities in Production • Increase collaboration • Architect better product!

41. @stuhirstinfosec Reducing Risk & Incidents • Boards LOVE risk reduction! • Fewer incidents = more time doing cool shit • Less time dealing with 9pm Friday nonsense = more beer time

42. @stuhirstinfosec WE MUST EXPECT SECURITY INCIDENTS TO HAPPEN!

43. @stuhirstinfosec Scalability • Helps businesses grow quickly with less friction • Reduces the need for growing Security teams • Brings accountability into DevOps

44. @stuhirstinfosec

45. @stuhirstinfosec Compliance & Regulation

46. @stuhirstinfosec Compliance

47. @stuhirstinfosec How Can DevOps Help Security?

48. @stuhirstinfosec Better Security increases TRUST in the products we build

55. FANKS! @stuhirstinfosec