DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
DevSecOps: An Organizational Primer
Tim Anderson,
Sr. Technical Industry Specialist,
AWS Security

Outcomes
o Blueprint for building DevSecOps operating model in your organization
o Understand the security practitioners’ point of view and embrace it to
drive innovation
o Identifying your current operating characteristics in your organization
and using that to drive a strategy for DevSecOps

How we get there
1. Construct the business case for DevSecOps
2. Use the Cloud Center of Excellence (CCOE) as your DevSecOps
foundational team
3. Use CI/CD to establishing mechanisms to ingrain and scale security

What Is Culture?
o Culture is the “software of the mind.” It is the core
logic that organizes people’s behavior
o The culture reflects the lessons learned that are
important enough to pass on to the next generation
o Values, beliefs, and practices that have been
developed and reinforced over time
Culture is “the Way We Do Things Around Here.”

Competing Forces
Business
Development Operations
Build it
faster
Keep it stable
Security
Make it
secure

The Challenge
“My security organization cannot keep pace with the business.”
“I want to take full advantage of AWS, but not all of the services are approved for use.”
“There is no clear security path to production.”
“We are transitioning from waterfall to Agile. How should my security team adapt?”

Building the business case for DevSecOps transformation

What is DevSecOps?
• DevSecOps is the combination of cultural
philosophies, practices, and tools that exploits the
advances made in IT automation to achieve a
state of production immutability, frequent delivery
of business value, and automated enforcement of
security policy.
• DevSecOps is achieved by integrating and
automating the enforcement of preventive,
detective, and responsive security controls into the
pipeline.
Security
OperationsDevelopment

Tenets of DevSecOps
1. Test security as early as possible to accelerate feedback.
2. Prioritize preventive security controls to stop bad things from happening.
3. When deploying a detective security control, ensure it has a complementary
responsive security control to do something about it.
4. Automate, automate, automate.

The Benefits
o Fast time to market or time to value for internal use products
o Less waste from producing unneeded capabilities
o Less waste from producing capabilities that do not accomplish objectives
o Less waste in processes (both inside and outside of IT)
o Reduced risk
o Increased innovation
o Better operational controls through automation

Lack of business agility
• Slow to onboard new
customers
• Outpaced by disruptors
• Rogue dev projects
Security lacks agility
• Slow threat assessments
• Can’t patch fast enough
• Reactive security posture
• Rogue dev projects
The Current State of Affairs

Risk of change to the business
• Regulatory/compliance constraints
• Impact to the workforce
• Cost overruns
• Scaling security
• Impact to governance strategy and processes
The Current State of Affairs

Identify desired
attitudes and behaviors
for successful
cloud adoption
Communicate
attitudes and
behaviors
Align explicit and
implicit reward
systems
Align hiring,
training, and
incentive practices
How to Influence Cultural Change?

Key Tenets to Recognize
When Considering
Change Management:
1. Change management is an enabling
framework for the people side of change
2. Organizational change requires
individual/personal change
3. The scope and type of change inform
the change management plan
Expect Reluctance and
Resistance to Change from
Across the Organization:
1. Employee resistance to
change is the Rule!
2. The RIGHT solutions is NOT in and of Itself
enough to motivate employees
3. Message conveyed ≠ message received
Change occurs for a REASON – The #1 purpose is to get to a better place
Change Management: Key Tenets

Building a security focused CCOE to drive cultural change
DevSecOps 1.0 Team

Commission a CCOE
• Cross-functional
• Hands-on
• Co-located and dedicated
• Empowered
• A change agent
• Creates roadmap
• Establishes standards
• Partners with early-adopters
A two-pizza, empowered, and accountable team that owns the cloud strategy, establishing
the cloud service, and helping the business / dev teams migrate their first few applications

Wait, what’s a two-pizza team?
“If you can't feed a team with two pizzas,
the team is too large.”
- Jeff Bezos

Function of a CCoE
o A small nimble organization typically sourced from within to drive rapid
adoption
o To establish repeatable processes and templates for deploying applications
while maintaining organizational control over their enterprise’s applications
o To centralize common functions for security and compliance
o To accelerate the rate of change through reuse of approved configurations,
which minimizes development and approval time

Staff your Cloud Team
Product Manager
“Swiss Army Knife” initially taking on all
functions of the business office. Works
directly with business and/or development
teams to generate and prioritize backlog of
what services need to be delivered to support
applications.

Lead Architect
Accountable for overall cloud technical
architecture; partners with Product Manager to
translate customer requirements into technical
deliverables; establishes technical direction;
does technical delivery as well.

Infrastructure Engineers
Provide integrations with corporate
datacenters, shared cloud infrastructure
services, Works on engineering and
continuous improvement of infrastructure
stacks, templates, images, and other artifacts.Leadership

Security Engineers
Provide standardized offerings to facilitate
ongoing security and compliance within
application stacks and the cloud environment
overall; Integrates security standards and
controls products and offerings.LeadershipInfrastructure

Operations Engineers
Provide outcomes to facilitate the successful
deployment of applications on infrastructure
stacks: artifact/code repositories, upgrades,
patching. Also responsible for operational
health: metrics, logging, alerting, inventory,
capacity, and billing/tag management.
LeadershipInfrastructure Security

Application Engineers
Representatives of the first-mover application
teams. Work closely with the Cloud Team to
provide the voice of the customer as cloud
services are being developed.LeadershipInfrastructure Security
Operations

Driving Change with The CCOE
o Building reusable patterns
o Ingraining security with every team member
o Visibility of team operations
o Continuous improvement – feedback cycle and actions
o Look to simplify

Driving Change with The CCOE
o Targets and measures for success
o Use technical tools not as a goal but for efficiency and
reducing the burden
o Tools can improve speed, agility, accuracy and visibility.
o Top down model without prior team success will fail -
Puppet State of DevOps report

Scaling beyond a CCOE
On-Boarding
Finance
Enterprise
Architecture
Marketing
Governance
LeadershipInfrastructure SecurityOperationsApplications
Engineering teams will specialize in an area, but will have a
common set of skills shared across all product teams
Operations
Engineering
Infrastructure
Engineering
Security
Engineering
Cloud Business Office
(Director)
Cloud Engineering
(Director)

Continuous Delivery of Cloud Services
Pull Approved
Platform Artifacts
from Shared Repos
2
Extend Approved
Artifacts for App
Stacks
3
Build & Test
Cloud
Services
3
Integrate &
Deploy Cloud
Services
4
Populate
Revise
Prioritize
Backlog
2
Publish Artifacts
& Documentation
for Cloud Services
6
Operate Cloud
Services
5
Lifecycle
Management of
Application
Stacks
6
Operate
Application
Stacks
5
Build, Test,
and Deploy
App Stacks
4
1
Continuous Delivery of Application Services
1
Service
Catalog or
Shared
Repositories
Team Interaction and Workflow
On-Boarding,
Coaching, &
Product Feedback

Continue to Scale, Adjust, & Improve
Chief Technology Officer
Cloud Transformation
(SVP / VP)
Core
Infrastructure
OperationsInfrastructure Security Migration
Compute,
Network
Runtime, DB
Middleware
Monitoring &
Logging
Continuous
Delivery
Perimeter
Security
Threat &
Vulnerability
Secret & Key
Management
Analysis &
Reporting
Migration
Team #1
Migration
Team #2
Cloud Engineering Cloud Business Office
EA, Governance,
& Compliance
On-Boarding &
Education Cloud
Community, Culture,
& Advocacy
Financial Mgmt
& Accounting
Governance
Enterprise
Architecture
On-boarding Finance
Change Mgmt
& Comm

Transforming security to be a business enabler

Organizational change
Move Security up the value chain
Security as quality
Lead communities of practice
Ensure cloud awareness

Instead of “No”, security should say
“how can we do this?”
o Change from gating to guardrails
o Establish norms for security hygiene and set high quality standards
o Craft policies so teams can operate freely within the determined
constraints – stepping towards continuous authorization.
o Consistently communicate the connection between security and mission
objectives

Turning everyone into a security owner
Education programs
Incentives
Tool assisted efforts Collaboration platforms
Technical quality tools
Threat modeling tools

COMMIT
CHANGES
BUILD ARTIFACTS DEPLOY TO TEST
ENVIRONMENT
RUN INTEGRATION,
SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION
ENVIRONMENT
MANAGE
RUNTIME
SOURCE
CONTROL
BUILD TESTING &
STAGING
PRODUCTION MAINTAIN
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Driving Security with CI/CD

CI/CD Security Strategy
o Security of the CI/CD Pipeline
Automated IAM roles, Jenkins server hardening, etc.
o Security in the CI/CD Pipeline
Automated security tests, code analysis, etc.
o Enforcement of the Pipeline
Automated Incident Response Remediation, forensics, etc.

Get Humans Away from Your Data

Security Blind Spots
Can’t scaleLack of rigorDisparate sources
</>
#
@
+=
28.25
If(

DevSecOps CI/CD Process
Document
Commit
Continuous
Integration/
Testing
Continuous
Deployment
QA/Integrati
on Testing
Code/Test
Security Focused Code
Review
Automated Security
Testing
Security Review/Acceptance Testing
Inception Project Configuration
Secure/Hardened
Environments
Threat Modelling
*Source Carnegie Mellon

What does it look like?
AWS Cloud
Developers
AMI
Lambda
Function
1. Scan for creds
2. Static analysis
3. Logic / Library scan
4. Smoke test
5. Deploy into repo

432
What does it look like?
Developers
AMI
Lambda
Function
1
1. Scan for creds
2. Static analysis
3. Logic / Library scan
4. Smoke test
5. Deploy into repo
5
Logs Logs Logs Logs
Logs
AWS Cloud

Giving security confidence – Proving Assurance
o Threat modeling
o Feed security cases to the Dev team - work it like high priority defects
o Address separation of duties concerns
o Adopting zero known defect approach
o Continuously vet/audit security in dev and prod
o Rigorous testing in each environment
o Peer review - Each technologist should be thinking about possible defects
and possible security vulnerabilities. Code should always be reviewed by a
peer, who should also be looking for vulnerabilities

Consistency Breeds Trust
CI/CD
Normalize
processes and
tech stack
normal vs.
abnormal
behavior
Maintain
disciplined
ITSM use
Configuration
management
Release
management

Using CI/CD to Drive Cultural Security Milestones
Deeply understand your SDLC
• Sit security team members
with a development team
for as many days as you can.
Catalog the controls
• Gain visibility into CI/CD
pipelines. That’s where
change management and
control happens now.
Document every instance of
human interaction
• With systems that process
data. Let engineering &
operations teams drive this
goal.
Reduce human access
• Set and achieve a goal to
reduce human access to
systems that process
sensitive data by 80%
Set a goal to deploy
workloads from source.
• Catalog the % of workloads
that are built on
automation vs. those built
with manual steps

Mechanisms for building a security culture
1. Consistently communicate the connection between security and
mission objectives.
2. Set up practices to “build security in,” and fast feedback mechanisms
to correct mistakes.
3. Establish norms for security hygiene and set high quality standards.
4. Adopt a zero-known-defect approach.
5. Continuously vet security, both in development and production.

Thank You

Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS

DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft

Similar to DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft (20)

More from Amazon Web Services

More from Amazon Web Services (20)

DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft