SlideShare a Scribd company logo

DevSecOps Is Not Just DevOps Lipstick On A traditional Security Pig

ā€¢Download as PPTX, PDFā€¢
ā€¢
VMware Tanzu
VMware Tanzu

SpringOne Platform 2018 DevSecOps Is Not Just DevOps Lipstick On A traditional Security Pig Larry Maccherone, Comcast

Software
1 of 27
LinkedIn.com/in/LarryMaccherone DevSecOps is not just DevOps lipstick on a traditional security pig Larry Maccherone LinkedIn.com/in/LarryMaccherone
DevSecOpsWave JustMarketing?
LinkedIn.com/in/LarryMaccherone Larry Maccherone Larry_Maccherone@Comcast.com Larry Maccherone LinkedIn.com/in/LarryMaccherone
DevOps is fertile ground for the concepts driving the DHS-sponsored Build-Security-In portal that Noopur Davis, Gary McGraw, and I launched a decade ago DevOps = opportunity for security
As DevOps exponentially speeds up the pace of development Bolt-on security by security specialists wonā€™t scale ā€¦ so security MUST be a primary concern of the development team
LinkedIn.com/in/LarryMaccherone What is DevOps?
LinkedIn.com/in/LarryMaccherone What is DevOps? ā€¢ A new role? ā€¢ Partnership/communication/empathy between Dev and Ops? ā€¢ CI/CD tools? ā€¢ Automation? ā€¢ Self-service? ā€¢ Techniques like feature flags or traffic shaping? ā€¢ ā€œMove fast and break thingsā€? ā€¢ Culture change (systems thinking, continuous improvement, etc.)?
DevOps isā€¦ empowered engineering teams taking ownership of how their product performs in production
LinkedIn.com/in/LarryMaccherone DevOps ļƒ  different decisions
LinkedIn.com/in/LarryMaccherone ā€œI donā€™t always test but when I do, itā€™s in productionā€ Mature DevOps practices 1. Develop in trunk ā€¢ No long-lived branches ā€¢ Short branches for code review, build- checking, time-intensive test suites, security scanning, etc. ā€¢ Dead-end release branches OK 2. Partial/unvalidated features behind toggles/flags and/or traffic shaping 3. Automated validation ļƒ  automated push to prod
LinkedIn.com/in/LarryMaccherone Feature toggles & traffic shaping ā€¢ Run-time switchable ā€¢ Database backed ā€¢ Also for safe-to-fail feature experiments ā€¢ Build/deploy time ā€¢ Common for micro-services & APIs ā€¢ Traffic shaping ā€¢ Rules engine + database backed XRE Guideā€™s Application Discovery Service (ADS) XRE Guideā€™s Redirector Traffic Shaping Router
LinkedIn.com/in/LarryMaccherone What is Dev[Sec]Ops?
LinkedIn.com/in/LarryMaccherone Security
LinkedIn.com/in/LarryMaccherone Dev[Sec]Ops isā€¦ empowered engineering teams taking ownership of how their product performs in production [including security]
LinkedIn.com/in/LarryMaccherone Dev[Sec]Ops Results ā€¢ Dramatically faster time to market ļƒ  happier customers ļƒ  more revenue ā€¢ 5x lower rate of failures caused by changes1 ā€¢ 96x faster recovery from downtime failures1 Itā€™s scary to QA and Security, but ā€œmoving fast and breaking thingsā€ leads to dramatically lower rates of customer experienced defects and vulnerabilities 1Puppetā€™s 2017 State of DevOps Report
Build security in more than bolt it on Rely on empowered engineering teams more than security specialists Implement features securely more than security features Rely on continuous learning more than end-of-phase gates Build on culture change more than policy enforcement DevSecOpsManifesto
We, the Security Teamā€¦ Recognize that Engineering Teamsā€¦ ā€¢ Want to do the right thing ā€¢ Are closer to the business context and will make smart trade-off decisions between security and other risks ā€¢ Want information and assistance so they can improve our security posture Pledge toā€¦ ā€¢ Lower the cost/effort side of any investment in developer security tools or practices ā€¢ Assist 2x as much with preventative initiatives as we beg for your assistance reacting to security incidents Understand thatā€¦ ā€¢ We are no longer gate keepers but rather tool-smiths and advisors
Credibility + Reliability + Empathy Trust = ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€” Apparent self-interest https://www.devsecopsdays.com/articles/trust-algorithm-applied-to-devsecops
Manysupposed DevSecOpstoolsare justlipstickonapig
Think of security testing tools as just another testing suite like those for unit, acceptance, etc.
Dev[Sec]Ops Tool Landscape Static Analysis (aka SAST) ā€¢ Looks at source code ā€¢ Data/control flow analysis ā€¢ Prone to false positives ā€¢ Rapid feedback for developers ā€¢ Code fix suggestions Dynamic ā€¢ Exercises app via UI/API ā€¢ Senses vulnerability by response to input ā€¢ Zero? false positives. Report is an exploit ā€¢ High false negatives ā€¢ Difficult to implement especially w/ auth ā€¢ Sometimes hard to find code to remediate Runtime Application Security Protection (RASP) ā€¢ Often uses same engine as IAST ā€¢ Reports on ā€œbadā€ behavior ā€¢ Can abort transaction or kill process to protect Fuzzing (black box) ā€¢ Instruments system (to varying degrees) ā€¢ Sends unexpected input at API ā€¢ Looks at response and instrumentation output ā€¢ Great for testing protocols like SIP ā€¢ Good for REST APIs ā€¢ Potentially long run times ā€¢ Hard to find code to remediate Software Composition Analysis (SCA) for code imported ā€¢ Identifies dependency and version ā€¢ Checks CVE/NVD + ā€¦ for reported vulnerabilities ā€¢ Proposes version/patch to remediate ā€¢ Checks license vs policy ā€¢ Runs fast ā€¢ Easy to implement ā€¢ Best bang for buck! IAST ā€¢ Runtime code analysis ā€¢ Combine dynamic/static ā€¢ Low false positives ā€¢ Depends on test coverage ā€¢ Immature but getting there
Criteria for DevSecOps tools ā€¢ Integrated and runs fast in pipeline for current dev cycle: ā€¢ Parallelized with other test suites, orā€¦ ā€¢ In-series, orā€¦ ā€¢ Incremental parallelized/in-series from asynchronous baseline, orā€¦ ā€¢ Asynchronous out of pipeline for baseline/feedback for next dev cycle ā€¢ Notifications the way the team wants: Slack, email, report, dashboard, etc. ā€¢ Interrupt the pipeline the way the team wants: break the build, turn the merge button red, etc. ā€¢ Environment-specific (dev, staging, prod, etc.) ā€policyā€
DevSecOps Tool recommendations ā€¢ SCA (aka dependency checkers, open source security scanners) are the best bang for the buck/effort. START HERE ā€¢ Next implement IAST or SAST (together, we created a category grouping these two called Primary Code Analysis). FAVOR IAST ā€¢ Embed in pipeline and treat like an additional test suite. ā€¢ For greenfield turn on all checkers and interrupt pipeline unless automated security tests come up clean. ā€¢ For legacy, ā€œstop the bleedingā€ by interrupting pipeline for NEW issues and slowly turn up the interrupt policy until all legacy issues are resolved. Plan to address all critical/high issues within 120 days.
LinkedIn.com/in/LarryMaccherone
LinkedIn.com/in/LarryMaccherone What will happen to security specialists?
ā€¦ similar to what happened to QA Engineers with the Agile movement ā€¦ they will join a development team ā€¦ or they will become tool-smiths and advisors
LinkedIn.com/in/LarryMaccherone Whatā€™s next? ā€¢ Questions? ā€¢ Read about the Trust Algorithm https://www.devsecopsdays.com/articles/ trust-algorithm-applied-to-devsecops ā€¢ Connect with me LinkedIn.com/in/LarryMaccherone

Recommended

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
Ā 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
Ā 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu
Ā 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
VMware Tanzu
Ā 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu
Ā 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
VMware Tanzu
Ā 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
VMware Tanzu
Ā 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu
Ā 

Recommended

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
Ā 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
Ā 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu
Ā 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
VMware Tanzu
Ā 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu
Ā 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
VMware Tanzu
Ā 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
VMware Tanzu
Ā 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu
Ā 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu
Ā 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu
Ā 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
VMware Tanzu
Ā 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu
Ā 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
VMware Tanzu
Ā 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
VMware Tanzu
Ā 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
VMware Tanzu
Ā 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu
Ā 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
Ā 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
VMware Tanzu
Ā 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu
Ā 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
VMware Tanzu
Ā 
SpringOne Tour: Doing Progressive Delivery with your Team
SpringOne Tour: Doing Progressive Delivery with your TeamSpringOne Tour: Doing Progressive Delivery with your Team
SpringOne Tour: Doing Progressive Delivery with your Team
VMware Tanzu
Ā 
SpringOne Tour: Make the Right Thing the Obvious Thing: The Journey to Intern...
SpringOne Tour: Make the Right Thing the Obvious Thing: The Journey to Intern...SpringOne Tour: Make the Right Thing the Obvious Thing: The Journey to Intern...
SpringOne Tour: Make the Right Thing the Obvious Thing: The Journey to Intern...
VMware Tanzu
Ā 
SpringOne Tour: An Introduction to Azure Spring Apps Enterprise
SpringOne Tour: An Introduction to Azure Spring Apps EnterpriseSpringOne Tour: An Introduction to Azure Spring Apps Enterprise
SpringOne Tour: An Introduction to Azure Spring Apps Enterprise
VMware Tanzu
Ā 
SpringOne Tour: 10 Practical Tips for Building Native and Serverless Spring A...
SpringOne Tour: 10 Practical Tips for Building Native and Serverless Spring A...SpringOne Tour: 10 Practical Tips for Building Native and Serverless Spring A...
SpringOne Tour: 10 Practical Tips for Building Native and Serverless Spring A...
VMware Tanzu
Ā 
SpringOne Tour: Spring Boot 3 and Beyond
SpringOne Tour: Spring Boot 3 and BeyondSpringOne Tour: Spring Boot 3 and Beyond
SpringOne Tour: Spring Boot 3 and Beyond
VMware Tanzu
Ā 
SpringOne Tour 2023: Let's Get Streaming! A Guide to Orchestrating Spring Clo...
SpringOne Tour 2023: Let's Get Streaming! A Guide to Orchestrating Spring Clo...SpringOne Tour 2023: Let's Get Streaming! A Guide to Orchestrating Spring Clo...
SpringOne Tour 2023: Let's Get Streaming! A Guide to Orchestrating Spring Clo...
VMware Tanzu
Ā 
Tanzu Developer Connect | Public Sector | March 29, 2023.pdf
Tanzu Developer Connect | Public Sector | March 29, 2023.pdfTanzu Developer Connect | Public Sector | March 29, 2023.pdf
Tanzu Developer Connect | Public Sector | March 29, 2023.pdf
VMware Tanzu
Ā 
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
VMware Tanzu
Ā 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
HimanshiGarg82
Ā 
call girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļøcall girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
Delhi Call girls
Ā 

More Related Content

More from VMware Tanzu

More from VMware Tanzu (20)

Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Ā 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Ā 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
Ā 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
Ā 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
Ā 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
Ā 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
Ā 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Ā 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
Ā 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
Ā 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
Ā 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
Ā 
SpringOne Tour: Doing Progressive Delivery with your Team
SpringOne Tour: Doing Progressive Delivery with your TeamSpringOne Tour: Doing Progressive Delivery with your Team
SpringOne Tour: Doing Progressive Delivery with your Team
Ā 
SpringOne Tour: Make the Right Thing the Obvious Thing: The Journey to Intern...
SpringOne Tour: Make the Right Thing the Obvious Thing: The Journey to Intern...SpringOne Tour: Make the Right Thing the Obvious Thing: The Journey to Intern...
SpringOne Tour: Make the Right Thing the Obvious Thing: The Journey to Intern...
Ā 
SpringOne Tour: An Introduction to Azure Spring Apps Enterprise
SpringOne Tour: An Introduction to Azure Spring Apps EnterpriseSpringOne Tour: An Introduction to Azure Spring Apps Enterprise
SpringOne Tour: An Introduction to Azure Spring Apps Enterprise
Ā 
SpringOne Tour: 10 Practical Tips for Building Native and Serverless Spring A...
SpringOne Tour: 10 Practical Tips for Building Native and Serverless Spring A...SpringOne Tour: 10 Practical Tips for Building Native and Serverless Spring A...
SpringOne Tour: 10 Practical Tips for Building Native and Serverless Spring A...
Ā 
SpringOne Tour: Spring Boot 3 and Beyond
SpringOne Tour: Spring Boot 3 and BeyondSpringOne Tour: Spring Boot 3 and Beyond
SpringOne Tour: Spring Boot 3 and Beyond
Ā 
SpringOne Tour 2023: Let's Get Streaming! A Guide to Orchestrating Spring Clo...
SpringOne Tour 2023: Let's Get Streaming! A Guide to Orchestrating Spring Clo...SpringOne Tour 2023: Let's Get Streaming! A Guide to Orchestrating Spring Clo...
SpringOne Tour 2023: Let's Get Streaming! A Guide to Orchestrating Spring Clo...
Ā 
Tanzu Developer Connect | Public Sector | March 29, 2023.pdf
Tanzu Developer Connect | Public Sector | March 29, 2023.pdfTanzu Developer Connect | Public Sector | March 29, 2023.pdf
Tanzu Developer Connect | Public Sector | March 29, 2023.pdf
Ā 
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Ā 

Recently uploaded

call girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļøcall girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
Delhi Call girls
Ā 
Chinsurah Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
Ā 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
Ā 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
Ā 

Recently uploaded (20)

8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
Ā 
call girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļøcall girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Vaishali (Ghaziabad) šŸ” >ą¼’8448380779 šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
Ā 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
Ā 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
Ā 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
Ā 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
Ā 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
Ā 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
Ā 
Chinsurah Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts ...
Ā 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
Ā 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
Ā 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Ā 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
Ā 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Ā 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
Ā 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
Ā 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
Ā 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Ā 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
Ā 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
Ā 

DevSecOps Is Not Just DevOps Lipstick On A traditional Security Pig

  • 1. LinkedIn.com/in/LarryMaccherone DevSecOps is not just DevOps lipstick on a traditional security pig Larry Maccherone LinkedIn.com/in/LarryMaccherone
  • 4. DevOps is fertile ground for the concepts driving the DHS-sponsored Build-Security-In portal that Noopur Davis, Gary McGraw, and I launched a decade ago DevOps = opportunity for security
  • 5. As DevOps exponentially speeds up the pace of development Bolt-on security by security specialists wonā€™t scale ā€¦ so security MUST be a primary concern of the development team
  • 7. LinkedIn.com/in/LarryMaccherone What is DevOps? ā€¢ A new role? ā€¢ Partnership/communication/empathy between Dev and Ops? ā€¢ CI/CD tools? ā€¢ Automation? ā€¢ Self-service? ā€¢ Techniques like feature flags or traffic shaping? ā€¢ ā€œMove fast and break thingsā€? ā€¢ Culture change (systems thinking, continuous improvement, etc.)?
  • 8. DevOps isā€¦ empowered engineering teams taking ownership of how their product performs in production
  • 10. LinkedIn.com/in/LarryMaccherone ā€œI donā€™t always test but when I do, itā€™s in productionā€ Mature DevOps practices 1. Develop in trunk ā€¢ No long-lived branches ā€¢ Short branches for code review, build- checking, time-intensive test suites, security scanning, etc. ā€¢ Dead-end release branches OK 2. Partial/unvalidated features behind toggles/flags and/or traffic shaping 3. Automated validation ļƒ  automated push to prod
  • 11. LinkedIn.com/in/LarryMaccherone Feature toggles & traffic shaping ā€¢ Run-time switchable ā€¢ Database backed ā€¢ Also for safe-to-fail feature experiments ā€¢ Build/deploy time ā€¢ Common for micro-services & APIs ā€¢ Traffic shaping ā€¢ Rules engine + database backed XRE Guideā€™s Application Discovery Service (ADS) XRE Guideā€™s Redirector Traffic Shaping Router
  • 14. LinkedIn.com/in/LarryMaccherone Dev[Sec]Ops isā€¦ empowered engineering teams taking ownership of how their product performs in production [including security]
  • 15. LinkedIn.com/in/LarryMaccherone Dev[Sec]Ops Results ā€¢ Dramatically faster time to market ļƒ  happier customers ļƒ  more revenue ā€¢ 5x lower rate of failures caused by changes1 ā€¢ 96x faster recovery from downtime failures1 Itā€™s scary to QA and Security, but ā€œmoving fast and breaking thingsā€ leads to dramatically lower rates of customer experienced defects and vulnerabilities 1Puppetā€™s 2017 State of DevOps Report
  • 16. Build security in more than bolt it on Rely on empowered engineering teams more than security specialists Implement features securely more than security features Rely on continuous learning more than end-of-phase gates Build on culture change more than policy enforcement DevSecOpsManifesto
  • 17. We, the Security Teamā€¦ Recognize that Engineering Teamsā€¦ ā€¢ Want to do the right thing ā€¢ Are closer to the business context and will make smart trade-off decisions between security and other risks ā€¢ Want information and assistance so they can improve our security posture Pledge toā€¦ ā€¢ Lower the cost/effort side of any investment in developer security tools or practices ā€¢ Assist 2x as much with preventative initiatives as we beg for your assistance reacting to security incidents Understand thatā€¦ ā€¢ We are no longer gate keepers but rather tool-smiths and advisors
  • 18. Credibility + Reliability + Empathy Trust = ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€” Apparent self-interest https://www.devsecopsdays.com/articles/trust-algorithm-applied-to-devsecops
  • 20. Think of security testing tools as just another testing suite like those for unit, acceptance, etc.
  • 21. Dev[Sec]Ops Tool Landscape Static Analysis (aka SAST) ā€¢ Looks at source code ā€¢ Data/control flow analysis ā€¢ Prone to false positives ā€¢ Rapid feedback for developers ā€¢ Code fix suggestions Dynamic ā€¢ Exercises app via UI/API ā€¢ Senses vulnerability by response to input ā€¢ Zero? false positives. Report is an exploit ā€¢ High false negatives ā€¢ Difficult to implement especially w/ auth ā€¢ Sometimes hard to find code to remediate Runtime Application Security Protection (RASP) ā€¢ Often uses same engine as IAST ā€¢ Reports on ā€œbadā€ behavior ā€¢ Can abort transaction or kill process to protect Fuzzing (black box) ā€¢ Instruments system (to varying degrees) ā€¢ Sends unexpected input at API ā€¢ Looks at response and instrumentation output ā€¢ Great for testing protocols like SIP ā€¢ Good for REST APIs ā€¢ Potentially long run times ā€¢ Hard to find code to remediate Software Composition Analysis (SCA) for code imported ā€¢ Identifies dependency and version ā€¢ Checks CVE/NVD + ā€¦ for reported vulnerabilities ā€¢ Proposes version/patch to remediate ā€¢ Checks license vs policy ā€¢ Runs fast ā€¢ Easy to implement ā€¢ Best bang for buck! IAST ā€¢ Runtime code analysis ā€¢ Combine dynamic/static ā€¢ Low false positives ā€¢ Depends on test coverage ā€¢ Immature but getting there
  • 22. Criteria for DevSecOps tools ā€¢ Integrated and runs fast in pipeline for current dev cycle: ā€¢ Parallelized with other test suites, orā€¦ ā€¢ In-series, orā€¦ ā€¢ Incremental parallelized/in-series from asynchronous baseline, orā€¦ ā€¢ Asynchronous out of pipeline for baseline/feedback for next dev cycle ā€¢ Notifications the way the team wants: Slack, email, report, dashboard, etc. ā€¢ Interrupt the pipeline the way the team wants: break the build, turn the merge button red, etc. ā€¢ Environment-specific (dev, staging, prod, etc.) ā€policyā€
  • 23. DevSecOps Tool recommendations ā€¢ SCA (aka dependency checkers, open source security scanners) are the best bang for the buck/effort. START HERE ā€¢ Next implement IAST or SAST (together, we created a category grouping these two called Primary Code Analysis). FAVOR IAST ā€¢ Embed in pipeline and treat like an additional test suite. ā€¢ For greenfield turn on all checkers and interrupt pipeline unless automated security tests come up clean. ā€¢ For legacy, ā€œstop the bleedingā€ by interrupting pipeline for NEW issues and slowly turn up the interrupt policy until all legacy issues are resolved. Plan to address all critical/high issues within 120 days.
  • 26. ā€¦ similar to what happened to QA Engineers with the Agile movement ā€¦ they will join a development team ā€¦ or they will become tool-smiths and advisors
  • 27. LinkedIn.com/in/LarryMaccherone Whatā€™s next? ā€¢ Questions? ā€¢ Read about the Trust Algorithm https://www.devsecopsdays.com/articles/ trust-algorithm-applied-to-devsecops ā€¢ Connect with me LinkedIn.com/in/LarryMaccherone