SlideShare a Scribd company logo

Divine and felonios cyber security devopsdays austin 2018

John Willis
John Willis

DevSecOps

Software
1 of 44
Download to read offline
The Divine and Felonious Nature of Cyber Security ( Introduction to DevSecOps ) John Willis @botchagalupe
https://github.com/botchagalupe/my-presentations
The Felonious Nature of Cyber Security
Actual Exploitation 2015 VZ DBIR
Sonatype
DevSecOps Community Survey 2018 - Sonatype
• Discovered 3/6/2017
 • Announced 3/9/2017
 • CVE created 3/10/2017
 • Equifax discovers 7/2017
 • Equifax announced 9/2017
 Anatomy of CVE-2017-5638 @botchagalupe
• Discovered - 3/9/2017
 • Action - 3/10/2017
 • Remediation - 3/14/2017
 Anatomy of CVE-2017-5638 @botchagalupe
Anatomy of CVE-2017-5638 • As of fall 2017 (3,054) organizations downloaded the exact version of Struts2 that was publicly disclosed as vulnerable on 3/10/17 and subsequently exploited at Equifax between 5/17-9/17.
 • As of fall 2017 (46,557) organizations downloaded a version of Struts and/or its sub projects with known vulnerabilities despite perfectly safe versions being available. Data derived from Sonatype’s 2017 Software Supply Chain Report @botchagalupe
Anatomy of CVE-2017-8046 (Fool Me Once) • Published 9/21/17
 • CVE created 01/04/2018
 • Discovered 2/18/17
 • Corrected 3/6/18
 @botchagalupe
• For the 5 months prior to the September 2017 disclosure, developers downloaded the affected Spring components 411,046 times while they were believed to be good. • In the 5 months after the September 2017 disclosure, developers downloaded the affected Spring components which were then known to be vulnerable 367,351 times. Only an 11% dip. Data derived from Sonatype’s 2017 Software Supply Chain Report Anatomy of CVE-2015-8046 (Fool Me Once) @botchagalupe
Security and the Goldilocks Zone • The fallacious nature of cyber security relates to the standard legacy security model specifically on the idea of perimeter security. • This concept involves the implementation of a state-full firewall at a routed point within the network that very rarely gets looked at unless an operational change is required. • The problem with having only premier security is that applications have changed significantly in the last ten years and the infrastructure they run upon is playing by the same old rules.

Very Quick Talk About Devops
@botchagalupe
Devops Automated Deployment Pipeline Source: Wikipedia - Continuous Delivery @botchagalupe
Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily @botchagalupe
Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree 2016 150 Million automated tests run daily… @botchagalupe
19 Summary • Agile took us from months to days to deliver software • Devops took from months to days to deploy software • Now security is the bottleneck @botchagalupe
Adversaries
Knowing Adversities and Motivations
Knowing Adversities and Motivations
DevSecOps
You Build It, You Secure It @botchagalupe
DevSecOps as Supply Chain? 26 Source: Wikipedia - Continuous Delivery @botchagalupe
Software Supply Chain 27 Delivery Team Version Control Build Test Release DevOps Example Stage Prod @botchagalupe
Software Supply Chain 28 Delivery Team Version Control Build Test Release DevOps Example Stage Prod @botchagalupe
Security in the Software Supply Chain 29 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod @botchagalupe
Security in the Software Supply Chain 30 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod @botchagalupe
Implementing DevOps in a Regulated Environment Requirements & Design Development CI Interval Trigger Assessment Production Application Risk Classification Security Requirement Definition Secure Libraries Static Analysis/IDE SCM Open Source Governance(CI) Secure Coding Standards Perimeter Assessment Dynamic Assessments Threat-Based Pen Test Web Application Firewalls Automated Attack/ Bot Defense Container Security Management Security Mavens (Security-Trained Developers and Operations) Role Based Software Security Training Continuous Monitoring, Analytics and KPI Gathering Preventative Detective Container Security Compliance (CI) Threat modeling Static Analysis (CI) @botchagalupe
33 Delivery Team Version Control Build Test Release DevSecOps Supply Chain Stage Prod The New Goldilocks Zone (DevSecOps) Security Training Security Requirements Threat Modeling Architecture Review OWASP Top 10 IDE Plugins Code Examples Fail the Build Static Code Analysis Security Policy Testing Configuration Analysis Vulnerability Scanning Code and App Analysis Automated Pen Testing Static Code Analysis Security Policy Testing Configuration Analysis Security Monitoring
 Configuration Monitoring
Best Practices for DevSecOps • Train development teams to develop secure code • Track security issues the same as software issues • If infrastructure is now code, then security should be code. • Integrate security controls in the software pipeline • Automate security test in the build process • Detect known vulnerabilities during the pipeline • Monitor security in production for known states • Inject failure to ensure security is hardened Gene Kim, Jez Humble, Patrick Dubois, and John Willis. 
 The DevOps Handbook; It Revolution Press, LLC.;2016.@botchagalupe
The Divine
@botchagalupe
The Felonious Nature of Cyber Security @botchagalupe
38 Bonus Material
Kill Chain Example 39 Amazon AWS Amazon VPC
DevSecOps Kaizen - Full Life Cycle 1.Key Outcomes 2.Countermeasures 3.Storyboard 4.Kanban Board 5.Post Retrospective 1 2 3 4 5
41 More Security Meta Points • Have security create templates, recipes, playbook • Create a Wiki for Security • All Issues managed in a common issue system • Create a Github Repo for OWASP code examples • Create interactive visual environments for security • Visualize all the things…. • A bug is a bug is a bug…. @botchagalupe
42 DevSecOps and Cloud Configuration • IAM and resource policies (S3 Bucket, SQS, etc.) • Permissive policies (e.g. wildcards) • Security Group ingress and egress rules • Liberal rules (e.g. 0.0.0.0/0, port range 1-65535 is open) • Encryption • Encryption that is not enabled or enforced for applicable resources • Automatic Key Rotation • KMS keys that don't have rotation enabled, • Invalid SSL configurations • ELBs with invalid SSL configurations
43 DevSecOps and Containers • Base Image Policies • Signed images • Capabilities policies • Vulnerability Image Scans • Port Restrictions • Secrets Management @botchagalupe
44 DevSecOps and Serverless • OWASP top 10 are still relevant • Proper Permissions • Data, Keys and Secrets • Still can have vulnerable code dependancies @botchagalupe

Recommended

Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018John Willis
 
KubeSecOps
KubeSecOpsKubeSecOps
KubeSecOpsKarthik Gaekwad
 
Your Developers Can Be Heroes on Kubernetes
Your Developers Can Be Heroes on KubernetesYour Developers Can Be Heroes on Kubernetes
Your Developers Can Be Heroes on KubernetesAmbassador Labs
 
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative worldKarthik Gaekwad
 
CI / CD with fabric8
CI / CD with fabric8 CI / CD with fabric8
CI / CD with fabric8 James Rawlings
 
Datadog- Monitoring In Motion
Datadog- Monitoring In Motion Datadog- Monitoring In Motion
Datadog- Monitoring In Motion Cloud Native Apps SF
 
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hopeMicroservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hopeSergii Bishyr
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 

Recommended

Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018John Willis
 
KubeSecOps
KubeSecOpsKubeSecOps
KubeSecOpsKarthik Gaekwad
 
Your Developers Can Be Heroes on Kubernetes
Your Developers Can Be Heroes on KubernetesYour Developers Can Be Heroes on Kubernetes
Your Developers Can Be Heroes on KubernetesAmbassador Labs
 
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative worldKarthik Gaekwad
 
CI / CD with fabric8
CI / CD with fabric8 CI / CD with fabric8
CI / CD with fabric8 James Rawlings
 
Datadog- Monitoring In Motion
Datadog- Monitoring In Motion Datadog- Monitoring In Motion
Datadog- Monitoring In Motion Cloud Native Apps SF
 
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hopeMicroservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hopeSergii Bishyr
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Application Security - 28 Nov 2018
Application Security - 28 Nov 2018Application Security - 28 Nov 2018
Application Security - 28 Nov 2018Cheah Eng Soon
 
Why Visibility into Your Stack Matters
Why Visibility into Your Stack MattersWhy Visibility into Your Stack Matters
Why Visibility into Your Stack MattersAmazon Web Services
 
20 mins to Faking the DevOps Unicorn by Matt williams, Datadog
20 mins to Faking the DevOps Unicorn by Matt williams, Datadog20 mins to Faking the DevOps Unicorn by Matt williams, Datadog
20 mins to Faking the DevOps Unicorn by Matt williams, DatadogDocker, Inc.
 
stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesNETWAYS
 
Devops online training ppt
Devops online training pptDevops online training ppt
Devops online training pptKhalidQureshi31
 
Continuous Delivery the Hard Way with Kubernetes
Continuous Delivery the Hard Way with Kubernetes Continuous Delivery the Hard Way with Kubernetes
Continuous Delivery the Hard Way with Kubernetes Weaveworks
 
Netflix: From Zero to Production-Ready in Minutes (QCon 2017)
Netflix: From Zero to Production-Ready in Minutes (QCon 2017)Netflix: From Zero to Production-Ready in Minutes (QCon 2017)
Netflix: From Zero to Production-Ready in Minutes (QCon 2017)Tim Bozarth
 
Automating Network Firewall Rule Creation using Powershell and CI/CD
Automating Network Firewall Rule Creation using Powershell and CI/CDAutomating Network Firewall Rule Creation using Powershell and CI/CD
Automating Network Firewall Rule Creation using Powershell and CI/CDNills Franssens
 
Principles of Monitoring Microservices
Principles of Monitoring MicroservicesPrinciples of Monitoring Microservices
Principles of Monitoring MicroservicesMichael Ducy
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentLibbySchulze
 
2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...
2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...
2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...Ambassador Labs
 
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityswampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityJohn Willis
 
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...NETWAYS
 
IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)
IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)
IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)Red Hat Developers
 
Microservice pitfalls
Microservice pitfalls Microservice pitfalls
Microservice pitfalls Mite Mitreski
 
FOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlFOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlStephane Jourdan
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
CICD Azure DevOps
CICD Azure DevOpsCICD Azure DevOps
CICD Azure DevOpsSergey Seletsky
 
Microservices with Spring Boot
Microservices with Spring BootMicroservices with Spring Boot
Microservices with Spring BootRasheed Waraich
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 
You build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteYou build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteJohn Willis
 

More Related Content

What's hot

Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Application Security - 28 Nov 2018
Application Security - 28 Nov 2018Application Security - 28 Nov 2018
Application Security - 28 Nov 2018Cheah Eng Soon
 
Why Visibility into Your Stack Matters
Why Visibility into Your Stack MattersWhy Visibility into Your Stack Matters
Why Visibility into Your Stack MattersAmazon Web Services
 
20 mins to Faking the DevOps Unicorn by Matt williams, Datadog
20 mins to Faking the DevOps Unicorn by Matt williams, Datadog20 mins to Faking the DevOps Unicorn by Matt williams, Datadog
20 mins to Faking the DevOps Unicorn by Matt williams, DatadogDocker, Inc.
 
stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesNETWAYS
 
Devops online training ppt
Devops online training pptDevops online training ppt
Devops online training pptKhalidQureshi31
 
Continuous Delivery the Hard Way with Kubernetes
Continuous Delivery the Hard Way with Kubernetes Continuous Delivery the Hard Way with Kubernetes
Continuous Delivery the Hard Way with Kubernetes Weaveworks
 
Netflix: From Zero to Production-Ready in Minutes (QCon 2017)
Netflix: From Zero to Production-Ready in Minutes (QCon 2017)Netflix: From Zero to Production-Ready in Minutes (QCon 2017)
Netflix: From Zero to Production-Ready in Minutes (QCon 2017)Tim Bozarth
 
Automating Network Firewall Rule Creation using Powershell and CI/CD
Automating Network Firewall Rule Creation using Powershell and CI/CDAutomating Network Firewall Rule Creation using Powershell and CI/CD
Automating Network Firewall Rule Creation using Powershell and CI/CDNills Franssens
 
Principles of Monitoring Microservices
Principles of Monitoring MicroservicesPrinciples of Monitoring Microservices
Principles of Monitoring MicroservicesMichael Ducy
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentLibbySchulze
 
2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...
2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...
2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...Ambassador Labs
 
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityswampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityJohn Willis
 
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...NETWAYS
 
IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)
IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)
IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)Red Hat Developers
 
Microservice pitfalls
Microservice pitfalls Microservice pitfalls
Microservice pitfalls Mite Mitreski
 
FOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlFOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlStephane Jourdan
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Microservices with Spring Boot
Microservices with Spring BootMicroservices with Spring Boot
Microservices with Spring BootRasheed Waraich
 

What's hot (20)

Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Application Security - 28 Nov 2018
Application Security - 28 Nov 2018Application Security - 28 Nov 2018
Application Security - 28 Nov 2018
 
Why Visibility into Your Stack Matters
Why Visibility into Your Stack MattersWhy Visibility into Your Stack Matters
Why Visibility into Your Stack Matters
 
20 mins to Faking the DevOps Unicorn by Matt williams, Datadog
20 mins to Faking the DevOps Unicorn by Matt williams, Datadog20 mins to Faking the DevOps Unicorn by Matt williams, Datadog
20 mins to Faking the DevOps Unicorn by Matt williams, Datadog
 
stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelines
 
Devops online training ppt
Devops online training pptDevops online training ppt
Devops online training ppt
 
Continuous Delivery the Hard Way with Kubernetes
Continuous Delivery the Hard Way with Kubernetes Continuous Delivery the Hard Way with Kubernetes
Continuous Delivery the Hard Way with Kubernetes
 
Netflix: From Zero to Production-Ready in Minutes (QCon 2017)
Netflix: From Zero to Production-Ready in Minutes (QCon 2017)Netflix: From Zero to Production-Ready in Minutes (QCon 2017)
Netflix: From Zero to Production-Ready in Minutes (QCon 2017)
 
Automating Network Firewall Rule Creation using Powershell and CI/CD
Automating Network Firewall Rule Creation using Powershell and CI/CDAutomating Network Firewall Rule Creation using Powershell and CI/CD
Automating Network Firewall Rule Creation using Powershell and CI/CD
 
Principles of Monitoring Microservices
Principles of Monitoring MicroservicesPrinciples of Monitoring Microservices
Principles of Monitoring Microservices
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
 
2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...
2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...
2017 Microservices Practitioner Virtual Summit: Move Fast, Make Things: how d...
 
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityswampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
 
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...
 
IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)
IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)
IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)
 
Microservice pitfalls
Microservice pitfalls Microservice pitfalls
Microservice pitfalls
 
FOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlFOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & Driftctl
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
CICD Azure DevOps
CICD Azure DevOpsCICD Azure DevOps
CICD Azure DevOps
 
Microservices with Spring Boot
Microservices with Spring BootMicroservices with Spring Boot
Microservices with Spring Boot
 

Similar to Divine and felonios cyber security devopsdays austin 2018

You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 
You build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteYou build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteJohn Willis
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owaspHelen Bravo
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Agile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAgile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAdam Getchell
 
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit Europe
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit EuropeAutomation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit Europe
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit EuropeAppDynamics
 
DevOpsGuys - DevOps Automation - The Good, The Bad and The Ugly
DevOpsGuys - DevOps Automation - The Good, The Bad and The UglyDevOpsGuys - DevOps Automation - The Good, The Bad and The Ugly
DevOpsGuys - DevOps Automation - The Good, The Bad and The UglyDevOpsGroup
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...FINOS
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...Daniel Bryant
 
SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014securifylabs
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxJosh Grossman
 

Similar to Divine and felonios cyber security devopsdays austin 2018 (20)

You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
 
You build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteYou build it - Cyber Chicago Keynote
You build it - Cyber Chicago Keynote
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Agile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAgile Secure Cloud Application Development Management
Agile Secure Cloud Application Development Management
 
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit Europe
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit EuropeAutomation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit Europe
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit Europe
 
DevOpsGuys - DevOps Automation - The Good, The Bad and The Ugly
DevOpsGuys - DevOps Automation - The Good, The Bad and The UglyDevOpsGuys - DevOps Automation - The Good, The Bad and The Ugly
DevOpsGuys - DevOps Automation - The Good, The Bad and The Ugly
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
 
SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 

More from John Willis

Automated Governance
Automated GovernanceAutomated Governance
Automated GovernanceJohn Willis
 
Devops Long Strange Trip
Devops Long Strange Trip Devops Long Strange Trip
Devops Long Strange Trip John Willis
 
I Got 99 Problems and a Bash DSL Ain't One of Them
I Got 99 Problems and a Bash DSL Ain't One of ThemI Got 99 Problems and a Bash DSL Ain't One of Them
I Got 99 Problems and a Bash DSL Ain't One of ThemJohn Willis
 
The 7 deadly diseases of DevOps 2019
The 7 deadly diseases of DevOps 2019The 7 deadly diseases of DevOps 2019
The 7 deadly diseases of DevOps 2019John Willis
 
Devops - A Long Strange Trip It's Been
Devops - A Long Strange Trip It's BeenDevops - A Long Strange Trip It's Been
Devops - A Long Strange Trip It's BeenJohn Willis
 
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's BeenDevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's BeenJohn Willis
 
Art of the Possible - Serverless Conference NYC 2017
Art of the Possible - Serverless Conference NYC 2017 Art of the Possible - Serverless Conference NYC 2017
Art of the Possible - Serverless Conference NYC 2017 John Willis
 
Why Executives Can't Change
Why Executives Can't Change Why Executives Can't Change
Why Executives Can't Change John Willis
 
Devops Kaizen - DevopsDays Dallas 2017
Devops Kaizen - DevopsDays Dallas 2017 Devops Kaizen - DevopsDays Dallas 2017
Devops Kaizen - DevopsDays Dallas 2017 John Willis
 
Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security John Willis
 
Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source John Willis
 
Alibaba Cloud Conference 2016 - Docker Enterprise
Alibaba Cloud Conference 2016 - Docker EnterpriseAlibaba Cloud Conference 2016 - Docker Enterprise
Alibaba Cloud Conference 2016 - Docker EnterpriseJohn Willis
 
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
Breaking Bad Equilibrium - Devops Connect 2017 RSACBreaking Bad Equilibrium - Devops Connect 2017 RSAC
Breaking Bad Equilibrium - Devops Connect 2017 RSACJohn Willis
 
Breaking Bad Equilibrium - Devops Connect 2016 LA
Breaking Bad Equilibrium - Devops Connect 2016 LABreaking Bad Equilibrium - Devops Connect 2016 LA
Breaking Bad Equilibrium - Devops Connect 2016 LAJohn Willis
 
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
All daydevops 2016 - Turning Human Capital into High Performance Organizati...All daydevops 2016 - Turning Human Capital into High Performance Organizati...
All daydevops 2016 - Turning Human Capital into High Performance Organizati...John Willis
 
Turning Human Capital into High Performance Organizational Capital
Turning Human Capital into High Performance Organizational CapitalTurning Human Capital into High Performance Organizational Capital
Turning Human Capital into High Performance Organizational CapitalJohn Willis
 
Immutable Service Delivery Shenzhen 2016
Immutable Service Delivery Shenzhen 2016Immutable Service Delivery Shenzhen 2016
Immutable Service Delivery Shenzhen 2016John Willis
 
DOES16 London - Better Faster Cheaper .. How?
DOES16 London - Better Faster Cheaper .. How? DOES16 London - Better Faster Cheaper .. How?
DOES16 London - Better Faster Cheaper .. How? John Willis
 
Dockercon USA 2016 - Immutable Awesomeness
Dockercon USA 2016 - Immutable Awesomeness Dockercon USA 2016 - Immutable Awesomeness
Dockercon USA 2016 - Immutable Awesomeness John Willis
 

More from John Willis (20)

Automated Governance
Automated GovernanceAutomated Governance
Automated Governance
 
Devops Long Strange Trip
Devops Long Strange Trip Devops Long Strange Trip
Devops Long Strange Trip
 
I Got 99 Problems and a Bash DSL Ain't One of Them
I Got 99 Problems and a Bash DSL Ain't One of ThemI Got 99 Problems and a Bash DSL Ain't One of Them
I Got 99 Problems and a Bash DSL Ain't One of Them
 
Math is cool
Math is coolMath is cool
Math is cool
 
The 7 deadly diseases of DevOps 2019
The 7 deadly diseases of DevOps 2019The 7 deadly diseases of DevOps 2019
The 7 deadly diseases of DevOps 2019
 
Devops - A Long Strange Trip It's Been
Devops - A Long Strange Trip It's BeenDevops - A Long Strange Trip It's Been
Devops - A Long Strange Trip It's Been
 
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's BeenDevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
 
Art of the Possible - Serverless Conference NYC 2017
Art of the Possible - Serverless Conference NYC 2017 Art of the Possible - Serverless Conference NYC 2017
Art of the Possible - Serverless Conference NYC 2017
 
Why Executives Can't Change
Why Executives Can't Change Why Executives Can't Change
Why Executives Can't Change
 
Devops Kaizen - DevopsDays Dallas 2017
Devops Kaizen - DevopsDays Dallas 2017 Devops Kaizen - DevopsDays Dallas 2017
Devops Kaizen - DevopsDays Dallas 2017
 
Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security
 
Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source
 
Alibaba Cloud Conference 2016 - Docker Enterprise
Alibaba Cloud Conference 2016 - Docker EnterpriseAlibaba Cloud Conference 2016 - Docker Enterprise
Alibaba Cloud Conference 2016 - Docker Enterprise
 
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
Breaking Bad Equilibrium - Devops Connect 2017 RSACBreaking Bad Equilibrium - Devops Connect 2017 RSAC
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
 
Breaking Bad Equilibrium - Devops Connect 2016 LA
Breaking Bad Equilibrium - Devops Connect 2016 LABreaking Bad Equilibrium - Devops Connect 2016 LA
Breaking Bad Equilibrium - Devops Connect 2016 LA
 
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
All daydevops 2016 - Turning Human Capital into High Performance Organizati...All daydevops 2016 - Turning Human Capital into High Performance Organizati...
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
 
Turning Human Capital into High Performance Organizational Capital
Turning Human Capital into High Performance Organizational CapitalTurning Human Capital into High Performance Organizational Capital
Turning Human Capital into High Performance Organizational Capital
 
Immutable Service Delivery Shenzhen 2016
Immutable Service Delivery Shenzhen 2016Immutable Service Delivery Shenzhen 2016
Immutable Service Delivery Shenzhen 2016
 
DOES16 London - Better Faster Cheaper .. How?
DOES16 London - Better Faster Cheaper .. How? DOES16 London - Better Faster Cheaper .. How?
DOES16 London - Better Faster Cheaper .. How?
 
Dockercon USA 2016 - Immutable Awesomeness
Dockercon USA 2016 - Immutable Awesomeness Dockercon USA 2016 - Immutable Awesomeness
Dockercon USA 2016 - Immutable Awesomeness
 

Recently uploaded

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 

Recently uploaded (20)

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 

Divine and felonios cyber security devopsdays austin 2018

  • 1. The Divine and Felonious Nature of Cyber Security ( Introduction to DevSecOps ) John Willis @botchagalupe
  • 3.
  • 4. The Felonious Nature of Cyber Security
  • 7. DevSecOps Community Survey 2018 - Sonatype
  • 8. • Discovered 3/6/2017
 • Announced 3/9/2017
 • CVE created 3/10/2017
 • Equifax discovers 7/2017
 • Equifax announced 9/2017
 Anatomy of CVE-2017-5638 @botchagalupe
  • 9. • Discovered - 3/9/2017
 • Action - 3/10/2017
 • Remediation - 3/14/2017
 Anatomy of CVE-2017-5638 @botchagalupe
  • 10. Anatomy of CVE-2017-5638 • As of fall 2017 (3,054) organizations downloaded the exact version of Struts2 that was publicly disclosed as vulnerable on 3/10/17 and subsequently exploited at Equifax between 5/17-9/17.
 • As of fall 2017 (46,557) organizations downloaded a version of Struts and/or its sub projects with known vulnerabilities despite perfectly safe versions being available. Data derived from Sonatype’s 2017 Software Supply Chain Report @botchagalupe
  • 11. Anatomy of CVE-2017-8046 (Fool Me Once) • Published 9/21/17
 • CVE created 01/04/2018
 • Discovered 2/18/17
 • Corrected 3/6/18
 @botchagalupe
  • 12. • For the 5 months prior to the September 2017 disclosure, developers downloaded the affected Spring components 411,046 times while they were believed to be good. • In the 5 months after the September 2017 disclosure, developers downloaded the affected Spring components which were then known to be vulnerable 367,351 times. Only an 11% dip. Data derived from Sonatype’s 2017 Software Supply Chain Report Anatomy of CVE-2015-8046 (Fool Me Once) @botchagalupe
  • 13. Security and the Goldilocks Zone • The fallacious nature of cyber security relates to the standard legacy security model specifically on the idea of perimeter security. • This concept involves the implementation of a state-full firewall at a routed point within the network that very rarely gets looked at unless an operational change is required. • The problem with having only premier security is that applications have changed significantly in the last ten years and the infrastructure they run upon is playing by the same old rules.

  • 16. Devops Automated Deployment Pipeline Source: Wikipedia - Continuous Delivery @botchagalupe
  • 17. Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily @botchagalupe
  • 18. Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree 2016 150 Million automated tests run daily… @botchagalupe
  • 19. 19 Summary • Agile took us from months to days to deliver software • Devops took from months to days to deploy software • Now security is the bottleneck @botchagalupe
  • 21. Knowing Adversities and Motivations
  • 22. Knowing Adversities and Motivations
  • 23.
  • 25. You Build It, You Secure It @botchagalupe
  • 26. DevSecOps as Supply Chain? 26 Source: Wikipedia - Continuous Delivery @botchagalupe
  • 27. Software Supply Chain 27 Delivery Team Version Control Build Test Release DevOps Example Stage Prod @botchagalupe
  • 28. Software Supply Chain 28 Delivery Team Version Control Build Test Release DevOps Example Stage Prod @botchagalupe
  • 29. Security in the Software Supply Chain 29 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod @botchagalupe
  • 30. Security in the Software Supply Chain 30 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod @botchagalupe
  • 31. Implementing DevOps in a Regulated Environment Requirements & Design Development CI Interval Trigger Assessment Production Application Risk Classification Security Requirement Definition Secure Libraries Static Analysis/IDE SCM Open Source Governance(CI) Secure Coding Standards Perimeter Assessment Dynamic Assessments Threat-Based Pen Test Web Application Firewalls Automated Attack/ Bot Defense Container Security Management Security Mavens (Security-Trained Developers and Operations) Role Based Software Security Training Continuous Monitoring, Analytics and KPI Gathering Preventative Detective Container Security Compliance (CI) Threat modeling Static Analysis (CI) @botchagalupe
  • 32.
  • 33. 33 Delivery Team Version Control Build Test Release DevSecOps Supply Chain Stage Prod The New Goldilocks Zone (DevSecOps) Security Training Security Requirements Threat Modeling Architecture Review OWASP Top 10 IDE Plugins Code Examples Fail the Build Static Code Analysis Security Policy Testing Configuration Analysis Vulnerability Scanning Code and App Analysis Automated Pen Testing Static Code Analysis Security Policy Testing Configuration Analysis Security Monitoring
 Configuration Monitoring
  • 34. Best Practices for DevSecOps • Train development teams to develop secure code • Track security issues the same as software issues • If infrastructure is now code, then security should be code. • Integrate security controls in the software pipeline • Automate security test in the build process • Detect known vulnerabilities during the pipeline • Monitor security in production for known states • Inject failure to ensure security is hardened Gene Kim, Jez Humble, Patrick Dubois, and John Willis. 
 The DevOps Handbook; It Revolution Press, LLC.;2016.@botchagalupe
  • 37. The Felonious Nature of Cyber Security @botchagalupe
  • 40. DevSecOps Kaizen - Full Life Cycle 1.Key Outcomes 2.Countermeasures 3.Storyboard 4.Kanban Board 5.Post Retrospective 1 2 3 4 5
  • 41. 41 More Security Meta Points • Have security create templates, recipes, playbook • Create a Wiki for Security • All Issues managed in a common issue system • Create a Github Repo for OWASP code examples • Create interactive visual environments for security • Visualize all the things…. • A bug is a bug is a bug…. @botchagalupe
  • 42. 42 DevSecOps and Cloud Configuration • IAM and resource policies (S3 Bucket, SQS, etc.) • Permissive policies (e.g. wildcards) • Security Group ingress and egress rules • Liberal rules (e.g. 0.0.0.0/0, port range 1-65535 is open) • Encryption • Encryption that is not enabled or enforced for applicable resources • Automatic Key Rotation • KMS keys that don't have rotation enabled, • Invalid SSL configurations • ELBs with invalid SSL configurations
  • 43. 43 DevSecOps and Containers • Base Image Policies • Signed images • Capabilities policies • Vulnerability Image Scans • Port Restrictions • Secrets Management @botchagalupe
  • 44. 44 DevSecOps and Serverless • OWASP top 10 are still relevant • Proper Permissions • Data, Keys and Secrets • Still can have vulnerable code dependancies @botchagalupe