SlideShare a Scribd company logo

BsidesMCR_2016-what-can-infosec-learn-from-devops

Download as PPTX, PDF
James '​-- Mckinlay
James '​-- Mckinlay

August 18th 2016 - What can Information Security learn from DevOps - James McKinlay

Technology
1 of 56
What can Information Security learn from DevOps James Mckinlay – CSO Praetorian Consulting International
#whoami  Electoral Role  Landline  Broadband  Mobile Phone  Gas Electric  TV licence  Passport  Inland Revenue  High Street Bank  Online Retailers  Online webmail  Companies House  Online accountant  Births & Marriages Register  Hospital records / GP records Husband, Father, Son IT Security <- IT Solutions <- IT Manager https://uk.linkedin.com/in/jmck4cybersecurity  Shares / Child ISA  Pension  Car Insurance  House Insurance  Flight Records (ARINC)  Mortgage  Postcode Address File  University Records  Water / Utilities  Council Tax  Driving Licence  Car registration  Equifax Experian Callcredit
* Section 1: My version of devOps * Section 2: What I’ve seen recently * Section 3: Tools you should play with @CisoAdvisor
* Section 1: My version of devOps Revolution Quote 1: “You will not be able to stay home, brother. You will not be able to plug in, turn on and cop out. You will not be able to lose yourself on skag and Skip out for beer during commercials, Because the revolution will not be televised.” - Gil Scott-Heron (1949 –2011)
Disclaimer  (1) Before we go any further, I feel I should first point out that everything I’m about to say is obviously just my personal opinion, which you are of course entitled to take with the appropriate pinch of salt. I would expect that if you asked someone else who was considering the same question, they might have very different things that they are looking for.  (2) I am not in DevOps  (3) I am not a DevOps historian
Before there was “DevOps” there was – “Visual Ops” (2004) Gene Kim Kevin Behr George Spafford
2004 : A very simple, straight forward, easy to read book that provides a proven best practice for getting control of your data center though the implementation of high value IT service management activities. The book breaks it down into four simple steps, with examples echoing what those in the industry see in the real world: 1) Stabilize the patient 2) Catch and release, and find fragile artifacts 3) Establish repeatable build library 4) Enable continuous improvement.
2008: When information security sufficiently integrates into IT operations, both groups can better manage risks, and meet operational commitments. Phase 1 – Stabilize the patient and get plugged into production Integrate information security into daily IT operations to more effectively manage both information security and operational risks. Both groups will stop undoing each other’s work. Phase 2 – Find business risk and fix fragile artifacts Identify the greatest business risks, discover critical IT functionality, and ensure controls are adequate. Phase 3 – Implement development and release controls Move upstream in the software lifecycle to get security involved in development, project management, and release management functions Phase 4 – Enable continual improvement For each phase and task, implement metrics that help assess the short-term progress and long-term health of the various processes and controls.
Before there was “Visual Ops” there was - “Extreme Programming” (1999) ‘Embrace Change’ Opens with sentence - ‘XP is about social change.’ Second Edition - 2004
Before “XP Programming” there was - “Daily Build & Smoke Test” (1996) By the time it was released, Microsoft Windows NT 3.0 consisted of 5.6 million lines of code spread across 40,000 source files. A complete build took as many as 19 hours on several machines, but the NT development team still managed to build every day (Zachary, 1994). Far from being a nuisance, the NT team attributed much of its success on that huge project to their daily builds.
Along came “Continuous Integration” (2006) It wasn’t new in 2006, this is just credited as a really good writeup of CI.
Then there was “10+Deploys a day” (2009)
Then there was “Continuous Delivery” (2011) They review key issues, identify best practices, and demonstrate how to mitigate risks. Coverage includes • Automating all facets of building, integrating, testing, and deploying software • Implementing deployment pipelines at team and organizational levels • Improving collaboration between developers, testers, and operations • Developing features incrementally on large and distributed teams • Implementing an effective configuration management strategy • Automating acceptance testing, from analysis to implementation • Testing capacity and other non-functional requirements • Implementing continuous deployment and zero-downtime releases • Managing infrastructure, data, components and dependencies • Navigating risk management, compliance, and auditing
Two slideshares worth a look at from 2012
Then in 2013 there was: “The Phoenix Project” “Adventures of an IT Leader”
Then there was . . . There are many books like them , but I like these 
Then there was “SRE” (2016) and “IAC” (2016) You’re all my favourites 
October 2016 Pre-order page
Into 2017 The next “big Thing?” Serverless Architectures Serverless architectures refer to applications that significantly depend on third-party services (knows as Backend as a Service or "BaaS") or on custom code that's run in ephemeral containers (Function as a Service or "FaaS"), the best known vendor host of which currently is AWS Lambda. By using these ideas, and by moving much behavior to the front end, such architectures remove the need for the traditional 'always on' server system sitting behind an application. Depending on the circumstances, such systems can significantly reduce operational cost and complexity at a cost of vendor dependencies and (at the moment) immaturity of supporting services. - @mikebroberts
DevOps –V- Security 2016 2012
My Timeline in Summary 1994 DB @ MS 1996 DBST Blog 1999 XP 2004 VisualOps 2006 CI blog 2008 VisualOps Security 2009 Flickr Presentation 2011 CI Book 2013 Phoenix Book 2016 SRE Book ???? DevOps Handbook
Any Questions No is a valid answer
* Section 2: What I’ve seen recently Revolution quote 2: “The first revolution is when you change your mind about how you look at things, and see there might be another way to look at it that you have not been shown. What you see later on is the results of that, but that revolution, that change that takes place will not be televised.” - Gil Scott-heron (1949 –2011)
BDD-Security does not need access to your source code to run its tests! Although the BDD tests are backed by Java, they are all executed over the network against a running instance of your app. The app under test can be written in any language and framework. If it talks HTTP/S, BDD-Security can test it.
Is it fast ? Does it scale ? Does it use python?
Is it fast ? Does it scale ? Does it use golang-go ?
Secure continuous delivery? Security Automation? Pipeline, CI, API, Monitoring?
Christer Edwards @ Adobe Gareth Rushgrove @ Puppet Labs Stephen de Vries @ Continuum Francois Raynaud @ dev sec con ltd
Any Questions No is a valid answer
* Bonus: and its not even Easter Commercial Tooling – has been tried but in my experience not widely adopted Disclaimer: I do not endorse any of these commercial products – they are here to make a point in my presentation !
There has always been a place for security operations automation tooling – this is not devOps
https://www.nopsec.com https://www.phantom.us
Ticketing integration marketing
* Section 3: Tools you should know Classic DevOps toolbox Revolution quote 3: “There can't be any large-scale revolution until there's a personal revolution, on an individual level. It's got to happen inside first.” - Jim Morrison (1943 - 1971)
DevOps key elements https://jenkins.io/doc/pipeline/
www.productname.io gitlab github bitbucket gerrit chef ansible puppet cfengine jenkins buildbot go-cd theforeman rundeck azure aws heroku openshift basecampnginx vagrant atlas virtualbox travis-ci pki.io docker swarm kubernetes quay.io mongodb couchdb ELK logly sensu pagerduty slack hipchat flowdock consul etcd confd registrator zookeeper openstack cucumber sonarqubejira bugzilla
* MAP31 : ‘obscure 1994 reference’ Couple Infosec titles worth a mention Disclaimer: I do recommend these
SecOps workflow based on bugzilla and version control Let me clarify one thing. Even Windows XP can be configured in such a way that it will become a very, very difficult target to exploit. For example: enable SRP application whitelisting and configure SRP properly. Install Browser-in-a- Box, only browse from that application, install all the latest updates, install EMET (the latest supported version for XP) and configure it properly. Install a proper AV, such as 360 Total Security (Chinese) (XP might still benefit from it), set up a Guest user account and a regular user account, set up proper passwords for all and only use the machine daily as a Guest-level account. When installing, elevate with Run-As. Regularly update the HOSTS file with blocked malicious domains (this is available from multiple sources and the task can be automated). Delete CMD.EXE, debug.exe, command.com and uninstall powershell. Delete reg.exe and regedit.exe after everything is set up and installed – use them from an external device if needed. Here you go! One paragraph, and the most “insecure” OS – Windows XP – has been secured properly. Git bitbucket heroku cloud9
Collaboration and Dashboards Faraday (pentesers) Threadfix (web app sec)
Collaboration and Dashboards Faraday (pentesers) Acunetix (REPORT) (XML) Amap (CONSOLE) Arachni (REPORT, CONSOLE) (XML) arp-scan (CONSOLE) BeEF (API) Burp, BurpPro (REPORT, API) (XML) Core Impact, Core Impact (REPORT) (XML) Dnsenum (CONSOLE) Dnsmap (CONSOLE) Dnsrecon (CONSOLE) Dnswalk (CONSOLE) evilgrade (API) Fierce (CONSOLE) Goohost (CONSOLE) Hydra (CONSOLE) (XML) Immunity Canvas (API) Maltego (REPORT) masscan (REPORT, CONSOLE) (XML) Medusa (CONSOLE) Metagoofil (CONSOLE) Metasploit, (REPORT, API) (XML) XML report Nessus, (REPORT) (XML .nessus) Netsparker (REPORT) (XML) Threadfix (web app sec) Trustwave Hailstorm Sonatype Contrast CheckMarx Black Duck IBM Security AppScan QualysGuard WAS WhiteHat Sentinel Veracode Burp Zap Acunetix Arachni Brakeman Nexpose, Nexpose Enterprise, (REPORT) (XML) Nikto (REPORT, CONSOLE) (XML) Nmap (REPORT, CONSOLE) (XML) Openvas (REPORT) (XML) PasteAnalyzer (CONSOLE) Peeping Tom (CONSOLE) propecia (CONSOLE) Qualysguard (REPORT) (XML) Retina (REPORT) (XML) Reverseraider (CONSOLE) Shodan (API) Skipfish (CONSOLE) Sqlmap (CONSOLE) SSHdefaultscan (CONSOLE) Theharvester (CONSOLE) W3af (REPORT) (XML) Wapiti (CONSOLE) Webfuzzer (CONSOLE) X1, Onapsis (REPORT) (XML) Zap (REPORT) (XML) Catnet Cenzix Clang Codeprofiler Findbugs Fortify Nessus Netsparker Skipfish Ssvl W3af webinspect
* Section 4: Learn From DevOps Revolution quote 4: “Yes, finally the tables are starting to turn. Talkin' bout a revolution, oh no Talkin' bout a revolution, oh.” - Tracy Chapman(1964 - present) And apply it to Information Security Controls
Disclaimer  (1) I haven’t yet tried this next bit ;)
checkout build report test deploy checkin  Security Policy
NSA Top 10  1. Application Whitelisting  2. Control Administrative Privileges  3. Limit Workstation-to-Workstation communication  4. Use Anti-Virus file reputation services  5. Enable Anti-Exploitation Features  6. Implement HIPS  7. Set a Secure baseline configuration  8. Use Web Domain reputation services  9. Take advantage of Software Improvements  10. Segregate Network and functions
checkout build report test deploy checkin  1. Application Whitelisting  2. Control Administrative Privileges  5. Enable Anti-Exploitation Features  6. Implement HIPS  7. Set a Secure baseline configuration  9. Take advantage of Software Improvements
CPNI Top 20 CPNI publishes v5 CIS (Benchmarks) taken up the project at v6
1 - Inventory of Authorised and Unauthorised Devices 2 - Inventory of Authorised and Unauthorised Software 3 - Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers 4 - Continuous Vulnerability Assessment and Remediation 5 - Malware Defences 6 - Application Software Security 7 - Wireless Access Control 8 - Data Recovery Capability 9 - Security Skills Assessment and Appropriate Training to Fill Gaps 10 - Secure Configurations for Network Devices such as Firewalls, Routers and Switches 11 - Limitation and Control of Network Ports, Protocols and Services 12 - Controlled Use of Administrative Privileges 13 - Boundary Defence 14 - Maintenance, Monitoring and Analysis of Audit Logs 15 - Control Access Based on the Need to Know 16 - Account Monitoring and Control 17 - Data Protection 18 - Incident Response and Management 19 - Secure Network Engineering 20 - Penetration Tests and Red Team Exercises Did you know NSA have a project plan for the Top 20 ?
AusDSD Top 10 (of 35)  Mitigation Strategy #1 – Application whitelisting  Mitigation Strategy #2 – Patch applications  Mitigation Strategy #3 – Patch operating system vulnerabilities  Mitigation Strategy #4 – Restrict administrative privileges  Mitigation Strategy #5 – User application configuration hardening  Mitigation Strategy #6 – Automated dynamic analysis  Mitigation Strategy #7 – Operating system generic exploit mitigation  Mitigation Strategy #8 – Host‐based Intrusion Detection/Prevention System  Mitigation Strategy #9 – Disable local administrator accounts  Mitigation Strategy #10 – Network segmentation and segregation http://www.asd.gov.au/infosec/mitigationstr ategies.htm AusDSD version started in 2012, NSA version July 2013
AusDSD : the other 25  Mitigation Strategy #11 – Multi‐factor authentication  Mitigation Strategy #12 – Software‐based application firewall, blocking incoming network traffic  Mitigation Strategy #13 – Software‐based application firewall, blocking outgoing network traffic  Mitigation Strategy #14 – Non‐persistent virtualised sandboxed trusted operating environment  Mitigation Strategy #15 – Centralised and time‐synchronised logging of successful and failed computer events  Mitigation Strategy #16 – Centralised and time‐synchronised logging of allowed and blocked network activity  Mitigation Strategy #17 – Email content filtering  Mitigation Strategy #18 – Web content filtering  Mitigation Strategy #19 – Web domain whitelisting for all domains  Mitigation Strategy #20 – Block spoofed emails  Mitigation Strategy #21 – Workstation and server configuration management  Mitigation Strategy #22 – Antivirus software using heuristics and automated Internet‐based reputation ratings  Mitigation Strategy #23 – Deny direct Internet access from workstations  Mitigation Strategy #24 – Server application configuration hardening  Mitigation Strategy #25 – Enforce a strong passphrase policy  Mitigation Strategy #26 – Removable and portable media control5  Mitigation Strategy #27 – Restrict access to Server Message Block (SMB) and NetBIOS  Mitigation Strategy #28 – User education  Mitigation Strategy #29 – Workstation inspection of Microsoft Office files  Mitigation Strategy #30 – Signature‐based antivirus software  Mitigation Strategy #31 – TLS encryption between email servers  Mitigation Strategy #32 – Block attempts to access websites by their IP address  Mitigation Strategy #33 – Network‐based Intrusion Detection/Prevention System  Mitigation Strategy #34 – Gateway blacklisting  Mitigation Strategy #35 – Capture network traffic http://www.asd.gov.au/infosec/mitigationstr ategies.htm
Summary  There are many security controls that can benefit from checkin to SCM  Basic Security template testing and deploying can benefit from DevOps mentality  HIPS / FW rule tuning testing and deploying can benefit from DevOps mentality  App Whitelisting rule tuning testing and deploying can benefit from DevOps mentality  OS Patching testing and deploying can benefit from DevOps mentality  App patching testing and deploying can benefit from DevOps mentality  USB Monitor tuning testing and deploying can benefit from DevOps mentality  Local admin group membership testing and deploying can benefit from DevOps mentality
Takeaways  DevOps is a culture about speed, scale and automation  Infosec should use the techniques of checkin / checkout / automatic deploy / report  The automation has been maturing for over ten years (VisOps 2004, CI 2006)  Developers with an interest in Security are driving the DevSecOps/DevSecCon movement  Stephen de Vries & Gareth Rushgrove are pushing forward “Test Driven Security Controls”
Time is precious thank you for yours James
 VisualOps Handbook & VisualOps Security – Gene Kim, Kevin Behr, George Spafford & Paul Love  Extreme Programming Explained – Kent Beck  Continuous Delivery – Jez Humble & David Farley  One Minute Manager meets the Monkey – Ken Blanchard  The Goal – Eliyahu M. Goldratt  The Phoenix Project – Gene Kim, Kevin Behr, George Spafford  Adventures of an IT Leader - Robert D. Austin, Shannon O'Donnell, Richard L Nolan  Dev Ops 2.0 Toolkit - Viktor Farcic  Pro Vagrant - Włodzimierz Gajda  Ansible for DevOps - Jeff Geerling  Ry’s GIT Tutorial - Ryan Hodson  Site Reliability Engineering - Betsy Beyer and Chris Jones  Infrastructure as Code - Kief Morris  The Art of Monitoring – James Turnbull  Logging and Log Management - by Anton Chuvakin, Kevin Schmidt, Chris Phillips  Ruby on Rail s Tutorial – Michael Hartl  Crafting the Infosec Playbook - Jeff Bollinger and Brandon Enright  Building a cyber fortress – Alexander Sverdlov Booklist

Recommended

DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Kris Buytaert
 
SecDevOps
SecDevOpsSecDevOps
SecDevOpsPeter Lamar
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 

Recommended

DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Kris Buytaert
 
SecDevOps
SecDevOpsSecDevOps
SecDevOpsPeter Lamar
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsMike Brittain
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Sauce Labs
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...Puppet
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defenseZane Lackey
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)Arjun Comar
 
How to address operational aspects effectively with Agile practices - Matthew...
How to address operational aspects effectively with Agile practices - Matthew...How to address operational aspects effectively with Agile practices - Matthew...
How to address operational aspects effectively with Agile practices - Matthew...Skelton Thatcher Consulting Ltd
 
Enterprise DevOps and the Cloud
Enterprise DevOps and the CloudEnterprise DevOps and the Cloud
Enterprise DevOps and the CloudCloudCheckr
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldKarun Chennuri
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetCreate Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetGene Gotimer
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
ContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureYury Tsarev
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 

More Related Content

What's hot

Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsMike Brittain
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Sauce Labs
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...Puppet
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defenseZane Lackey
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)Arjun Comar
 
How to address operational aspects effectively with Agile practices - Matthew...
How to address operational aspects effectively with Agile practices - Matthew...How to address operational aspects effectively with Agile practices - Matthew...
How to address operational aspects effectively with Agile practices - Matthew...Skelton Thatcher Consulting Ltd
 
Enterprise DevOps and the Cloud
Enterprise DevOps and the CloudEnterprise DevOps and the Cloud
Enterprise DevOps and the CloudCloudCheckr
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldKarun Chennuri
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetCreate Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetGene Gotimer
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 

What's hot (20)

Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty Details
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
 
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defense
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
 
How to address operational aspects effectively with Agile practices - Matthew...
How to address operational aspects effectively with Agile practices - Matthew...How to address operational aspects effectively with Agile practices - Matthew...
How to address operational aspects effectively with Agile practices - Matthew...
 
Enterprise DevOps and the Cloud
Enterprise DevOps and the CloudEnterprise DevOps and the Cloud
Enterprise DevOps and the Cloud
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps World
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecCon
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetCreate Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and Puppet
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 

Viewers also liked

ContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureYury Tsarev
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
SREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREsSREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREsBrendan Gregg
 
SPOF - Single "Person" of Failure
SPOF - Single "Person" of FailureSPOF - Single "Person" of Failure
SPOF - Single "Person" of FailureSasha Rosenbaum
 
Chaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systemsChaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systemsJos Boumans
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonUn-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonSkelton Thatcher Consulting Ltd
 
A Coherent Discussion About Performance
A Coherent Discussion About PerformanceA Coherent Discussion About Performance
A Coherent Discussion About PerformanceTheo Schlossnagle
 
Monitoring Is Never Done
Monitoring Is Never DoneMonitoring Is Never Done
Monitoring Is Never DoneMelanie Cey
 
Devops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYCDevops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYCJohn Willis
 
Time to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setupTime to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setupCheck my Website
 
Production testing through monitoring
Production testing through monitoringProduction testing through monitoring
Production testing through monitoringLeon Fayer
 
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...Skelton Thatcher Consulting Ltd
 
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerBeschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerMarc Servaes (06-47841367)
 
Application Secret Management with KMS
Application Secret Management with KMSApplication Secret Management with KMS
Application Secret Management with KMSSonatype
 
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is MagicMy Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is MagicApollo Clark
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
 
The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2Zensar Technologies Ltd.
 

Viewers also liked (20)

ContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven Infrastructure
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
 
Scaling Operations At Spotify
Scaling Operations At SpotifyScaling Operations At Spotify
Scaling Operations At Spotify
 
SREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREsSREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREs
 
SPOF - Single "Person" of Failure
SPOF - Single "Person" of FailureSPOF - Single "Person" of Failure
SPOF - Single "Person" of Failure
 
Chaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systemsChaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systems
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonUn-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew Skelton
 
A Coherent Discussion About Performance
A Coherent Discussion About PerformanceA Coherent Discussion About Performance
A Coherent Discussion About Performance
 
Monitoring Is Never Done
Monitoring Is Never DoneMonitoring Is Never Done
Monitoring Is Never Done
 
Devops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYCDevops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYC
 
Time to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setupTime to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setup
 
Production testing through monitoring
Production testing through monitoringProduction testing through monitoring
Production testing through monitoring
 
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...
 
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerBeschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
 
Application Secret Management with KMS
Application Secret Management with KMSApplication Secret Management with KMS
Application Secret Management with KMS
 
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is MagicMy Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is Magic
 
Devops security
Devops securityDevops security
Devops security
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2
 
Devops/Sysops security
Devops/Sysops securityDevops/Sysops security
Devops/Sysops security
 

Similar to BsidesMCR_2016-what-can-infosec-learn-from-devops

Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Barry Greene
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud MigrationVMware Tanzu
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018Christophe Rochefolle
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️Ori Pekelman
 
Making Observability Actionable At Scale - DBS DevConnect 2019
Making Observability Actionable At Scale - DBS DevConnect 2019Making Observability Actionable At Scale - DBS DevConnect 2019
Making Observability Actionable At Scale - DBS DevConnect 2019Squadcast Inc
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5Dinis Cruz
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleJAXLondon_Conference
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseJames Wickett
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...DevOps Indonesia
 
Cara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang RamadhanCara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang RamadhanDicodingEvent
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 

Similar to BsidesMCR_2016-what-can-infosec-learn-from-devops (20)

Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
 
Making Observability Actionable At Scale - DBS DevConnect 2019
Making Observability Actionable At Scale - DBS DevConnect 2019Making Observability Actionable At Scale - DBS DevConnect 2019
Making Observability Actionable At Scale - DBS DevConnect 2019
 
Product Security
Product SecurityProduct Security
Product Security
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
Cara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang RamadhanCara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
Cara Tepat Menjadi iOS Developer Expert - Gilang Ramadhan
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 

More from James '​-- Mckinlay

40 things to do before you spend $1 on AI
40 things to do before you spend $1 on AI40 things to do before you spend $1 on AI
40 things to do before you spend $1 on AIJames '​-- Mckinlay
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedJames '​-- Mckinlay
 
Living with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI EditionLiving with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI EditionJames '​-- Mckinlay
 
ELITE.BCS-Cloud-and-Mobile-Risk-Assessments
ELITE.BCS-Cloud-and-Mobile-Risk-AssessmentsELITE.BCS-Cloud-and-Mobile-Risk-Assessments
ELITE.BCS-Cloud-and-Mobile-Risk-AssessmentsJames '​-- Mckinlay
 
Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214James '​-- Mckinlay
 

More from James '​-- Mckinlay (12)

Cracking for the Blue Team
Cracking for the Blue TeamCracking for the Blue Team
Cracking for the Blue Team
 
Security at the speed of dev ops v3
Security at the speed of dev ops v3Security at the speed of dev ops v3
Security at the speed of dev ops v3
 
40 things to do before you spend $1 on AI
40 things to do before you spend $1 on AI40 things to do before you spend $1 on AI
40 things to do before you spend $1 on AI
 
Securing Smart Cities
Securing Smart CitiesSecuring Smart Cities
Securing Smart Cities
 
cybersecurity-workforce-papers
cybersecurity-workforce-paperscybersecurity-workforce-papers
cybersecurity-workforce-papers
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
 
Metrics evolution breakfast edition
Metrics evolution breakfast editionMetrics evolution breakfast edition
Metrics evolution breakfast edition
 
IGPC Data Breach Planning braindump
IGPC Data Breach Planning braindumpIGPC Data Breach Planning braindump
IGPC Data Breach Planning braindump
 
Living with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI EditionLiving with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI Edition
 
ELITE.BCS-Cloud-and-Mobile-Risk-Assessments
ELITE.BCS-Cloud-and-Mobile-Risk-AssessmentsELITE.BCS-Cloud-and-Mobile-Risk-Assessments
ELITE.BCS-Cloud-and-Mobile-Risk-Assessments
 
Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214
 

Recently uploaded

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Recently uploaded (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

BsidesMCR_2016-what-can-infosec-learn-from-devops

  • 1. What can Information Security learn from DevOps James Mckinlay – CSO Praetorian Consulting International
  • 2. #whoami  Electoral Role  Landline  Broadband  Mobile Phone  Gas Electric  TV licence  Passport  Inland Revenue  High Street Bank  Online Retailers  Online webmail  Companies House  Online accountant  Births & Marriages Register  Hospital records / GP records Husband, Father, Son IT Security <- IT Solutions <- IT Manager https://uk.linkedin.com/in/jmck4cybersecurity  Shares / Child ISA  Pension  Car Insurance  House Insurance  Flight Records (ARINC)  Mortgage  Postcode Address File  University Records  Water / Utilities  Council Tax  Driving Licence  Car registration  Equifax Experian Callcredit
  • 3. * Section 1: My version of devOps * Section 2: What I’ve seen recently * Section 3: Tools you should play with @CisoAdvisor
  • 4. * Section 1: My version of devOps Revolution Quote 1: “You will not be able to stay home, brother. You will not be able to plug in, turn on and cop out. You will not be able to lose yourself on skag and Skip out for beer during commercials, Because the revolution will not be televised.” - Gil Scott-Heron (1949 –2011)
  • 5. Disclaimer  (1) Before we go any further, I feel I should first point out that everything I’m about to say is obviously just my personal opinion, which you are of course entitled to take with the appropriate pinch of salt. I would expect that if you asked someone else who was considering the same question, they might have very different things that they are looking for.  (2) I am not in DevOps  (3) I am not a DevOps historian
  • 6. Before there was “DevOps” there was – “Visual Ops” (2004) Gene Kim Kevin Behr George Spafford
  • 7. 2004 : A very simple, straight forward, easy to read book that provides a proven best practice for getting control of your data center though the implementation of high value IT service management activities. The book breaks it down into four simple steps, with examples echoing what those in the industry see in the real world: 1) Stabilize the patient 2) Catch and release, and find fragile artifacts 3) Establish repeatable build library 4) Enable continuous improvement.
  • 8. 2008: When information security sufficiently integrates into IT operations, both groups can better manage risks, and meet operational commitments. Phase 1 – Stabilize the patient and get plugged into production Integrate information security into daily IT operations to more effectively manage both information security and operational risks. Both groups will stop undoing each other’s work. Phase 2 – Find business risk and fix fragile artifacts Identify the greatest business risks, discover critical IT functionality, and ensure controls are adequate. Phase 3 – Implement development and release controls Move upstream in the software lifecycle to get security involved in development, project management, and release management functions Phase 4 – Enable continual improvement For each phase and task, implement metrics that help assess the short-term progress and long-term health of the various processes and controls.
  • 9. Before there was “Visual Ops” there was - “Extreme Programming” (1999) ‘Embrace Change’ Opens with sentence - ‘XP is about social change.’ Second Edition - 2004
  • 10. Before “XP Programming” there was - “Daily Build & Smoke Test” (1996) By the time it was released, Microsoft Windows NT 3.0 consisted of 5.6 million lines of code spread across 40,000 source files. A complete build took as many as 19 hours on several machines, but the NT development team still managed to build every day (Zachary, 1994). Far from being a nuisance, the NT team attributed much of its success on that huge project to their daily builds.
  • 11. Along came “Continuous Integration” (2006) It wasn’t new in 2006, this is just credited as a really good writeup of CI.
  • 12.
  • 13. Then there was “10+Deploys a day” (2009)
  • 14. Then there was “Continuous Delivery” (2011) They review key issues, identify best practices, and demonstrate how to mitigate risks. Coverage includes • Automating all facets of building, integrating, testing, and deploying software • Implementing deployment pipelines at team and organizational levels • Improving collaboration between developers, testers, and operations • Developing features incrementally on large and distributed teams • Implementing an effective configuration management strategy • Automating acceptance testing, from analysis to implementation • Testing capacity and other non-functional requirements • Implementing continuous deployment and zero-downtime releases • Managing infrastructure, data, components and dependencies • Navigating risk management, compliance, and auditing
  • 15. Two slideshares worth a look at from 2012
  • 16. Then in 2013 there was: “The Phoenix Project” “Adventures of an IT Leader”
  • 17. Then there was . . . There are many books like them , but I like these 
  • 18. Then there was “SRE” (2016) and “IAC” (2016) You’re all my favourites 
  • 20. Into 2017 The next “big Thing?” Serverless Architectures Serverless architectures refer to applications that significantly depend on third-party services (knows as Backend as a Service or "BaaS") or on custom code that's run in ephemeral containers (Function as a Service or "FaaS"), the best known vendor host of which currently is AWS Lambda. By using these ideas, and by moving much behavior to the front end, such architectures remove the need for the traditional 'always on' server system sitting behind an application. Depending on the circumstances, such systems can significantly reduce operational cost and complexity at a cost of vendor dependencies and (at the moment) immaturity of supporting services. - @mikebroberts
  • 22. My Timeline in Summary 1994 DB @ MS 1996 DBST Blog 1999 XP 2004 VisualOps 2006 CI blog 2008 VisualOps Security 2009 Flickr Presentation 2011 CI Book 2013 Phoenix Book 2016 SRE Book ???? DevOps Handbook
  • 23. Any Questions No is a valid answer
  • 24. * Section 2: What I’ve seen recently Revolution quote 2: “The first revolution is when you change your mind about how you look at things, and see there might be another way to look at it that you have not been shown. What you see later on is the results of that, but that revolution, that change that takes place will not be televised.” - Gil Scott-heron (1949 –2011)
  • 25.
  • 26.
  • 27. BDD-Security does not need access to your source code to run its tests! Although the BDD tests are backed by Java, they are all executed over the network against a running instance of your app. The app under test can be written in any language and framework. If it talks HTTP/S, BDD-Security can test it.
  • 28. Is it fast ? Does it scale ? Does it use python?
  • 29. Is it fast ? Does it scale ? Does it use golang-go ?
  • 30. Secure continuous delivery? Security Automation? Pipeline, CI, API, Monitoring?
  • 31. Christer Edwards @ Adobe Gareth Rushgrove @ Puppet Labs Stephen de Vries @ Continuum Francois Raynaud @ dev sec con ltd
  • 32. Any Questions No is a valid answer
  • 33. * Bonus: and its not even Easter Commercial Tooling – has been tried but in my experience not widely adopted Disclaimer: I do not endorse any of these commercial products – they are here to make a point in my presentation !
  • 34. There has always been a place for security operations automation tooling – this is not devOps
  • 37. * Section 3: Tools you should know Classic DevOps toolbox Revolution quote 3: “There can't be any large-scale revolution until there's a personal revolution, on an individual level. It's got to happen inside first.” - Jim Morrison (1943 - 1971)
  • 39. www.productname.io gitlab github bitbucket gerrit chef ansible puppet cfengine jenkins buildbot go-cd theforeman rundeck azure aws heroku openshift basecampnginx vagrant atlas virtualbox travis-ci pki.io docker swarm kubernetes quay.io mongodb couchdb ELK logly sensu pagerduty slack hipchat flowdock consul etcd confd registrator zookeeper openstack cucumber sonarqubejira bugzilla
  • 40. * MAP31 : ‘obscure 1994 reference’ Couple Infosec titles worth a mention Disclaimer: I do recommend these
  • 41. SecOps workflow based on bugzilla and version control Let me clarify one thing. Even Windows XP can be configured in such a way that it will become a very, very difficult target to exploit. For example: enable SRP application whitelisting and configure SRP properly. Install Browser-in-a- Box, only browse from that application, install all the latest updates, install EMET (the latest supported version for XP) and configure it properly. Install a proper AV, such as 360 Total Security (Chinese) (XP might still benefit from it), set up a Guest user account and a regular user account, set up proper passwords for all and only use the machine daily as a Guest-level account. When installing, elevate with Run-As. Regularly update the HOSTS file with blocked malicious domains (this is available from multiple sources and the task can be automated). Delete CMD.EXE, debug.exe, command.com and uninstall powershell. Delete reg.exe and regedit.exe after everything is set up and installed – use them from an external device if needed. Here you go! One paragraph, and the most “insecure” OS – Windows XP – has been secured properly. Git bitbucket heroku cloud9
  • 42. Collaboration and Dashboards Faraday (pentesers) Threadfix (web app sec)
  • 43. Collaboration and Dashboards Faraday (pentesers) Acunetix (REPORT) (XML) Amap (CONSOLE) Arachni (REPORT, CONSOLE) (XML) arp-scan (CONSOLE) BeEF (API) Burp, BurpPro (REPORT, API) (XML) Core Impact, Core Impact (REPORT) (XML) Dnsenum (CONSOLE) Dnsmap (CONSOLE) Dnsrecon (CONSOLE) Dnswalk (CONSOLE) evilgrade (API) Fierce (CONSOLE) Goohost (CONSOLE) Hydra (CONSOLE) (XML) Immunity Canvas (API) Maltego (REPORT) masscan (REPORT, CONSOLE) (XML) Medusa (CONSOLE) Metagoofil (CONSOLE) Metasploit, (REPORT, API) (XML) XML report Nessus, (REPORT) (XML .nessus) Netsparker (REPORT) (XML) Threadfix (web app sec) Trustwave Hailstorm Sonatype Contrast CheckMarx Black Duck IBM Security AppScan QualysGuard WAS WhiteHat Sentinel Veracode Burp Zap Acunetix Arachni Brakeman Nexpose, Nexpose Enterprise, (REPORT) (XML) Nikto (REPORT, CONSOLE) (XML) Nmap (REPORT, CONSOLE) (XML) Openvas (REPORT) (XML) PasteAnalyzer (CONSOLE) Peeping Tom (CONSOLE) propecia (CONSOLE) Qualysguard (REPORT) (XML) Retina (REPORT) (XML) Reverseraider (CONSOLE) Shodan (API) Skipfish (CONSOLE) Sqlmap (CONSOLE) SSHdefaultscan (CONSOLE) Theharvester (CONSOLE) W3af (REPORT) (XML) Wapiti (CONSOLE) Webfuzzer (CONSOLE) X1, Onapsis (REPORT) (XML) Zap (REPORT) (XML) Catnet Cenzix Clang Codeprofiler Findbugs Fortify Nessus Netsparker Skipfish Ssvl W3af webinspect
  • 44. * Section 4: Learn From DevOps Revolution quote 4: “Yes, finally the tables are starting to turn. Talkin' bout a revolution, oh no Talkin' bout a revolution, oh.” - Tracy Chapman(1964 - present) And apply it to Information Security Controls
  • 45. Disclaimer  (1) I haven’t yet tried this next bit ;)
  • 47. NSA Top 10  1. Application Whitelisting  2. Control Administrative Privileges  3. Limit Workstation-to-Workstation communication  4. Use Anti-Virus file reputation services  5. Enable Anti-Exploitation Features  6. Implement HIPS  7. Set a Secure baseline configuration  8. Use Web Domain reputation services  9. Take advantage of Software Improvements  10. Segregate Network and functions
  • 48. checkout build report test deploy checkin  1. Application Whitelisting  2. Control Administrative Privileges  5. Enable Anti-Exploitation Features  6. Implement HIPS  7. Set a Secure baseline configuration  9. Take advantage of Software Improvements
  • 49. CPNI Top 20 CPNI publishes v5 CIS (Benchmarks) taken up the project at v6
  • 50. 1 - Inventory of Authorised and Unauthorised Devices 2 - Inventory of Authorised and Unauthorised Software 3 - Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers 4 - Continuous Vulnerability Assessment and Remediation 5 - Malware Defences 6 - Application Software Security 7 - Wireless Access Control 8 - Data Recovery Capability 9 - Security Skills Assessment and Appropriate Training to Fill Gaps 10 - Secure Configurations for Network Devices such as Firewalls, Routers and Switches 11 - Limitation and Control of Network Ports, Protocols and Services 12 - Controlled Use of Administrative Privileges 13 - Boundary Defence 14 - Maintenance, Monitoring and Analysis of Audit Logs 15 - Control Access Based on the Need to Know 16 - Account Monitoring and Control 17 - Data Protection 18 - Incident Response and Management 19 - Secure Network Engineering 20 - Penetration Tests and Red Team Exercises Did you know NSA have a project plan for the Top 20 ?
  • 51. AusDSD Top 10 (of 35)  Mitigation Strategy #1 – Application whitelisting  Mitigation Strategy #2 – Patch applications  Mitigation Strategy #3 – Patch operating system vulnerabilities  Mitigation Strategy #4 – Restrict administrative privileges  Mitigation Strategy #5 – User application configuration hardening  Mitigation Strategy #6 – Automated dynamic analysis  Mitigation Strategy #7 – Operating system generic exploit mitigation  Mitigation Strategy #8 – Host‐based Intrusion Detection/Prevention System  Mitigation Strategy #9 – Disable local administrator accounts  Mitigation Strategy #10 – Network segmentation and segregation http://www.asd.gov.au/infosec/mitigationstr ategies.htm AusDSD version started in 2012, NSA version July 2013
  • 52. AusDSD : the other 25  Mitigation Strategy #11 – Multi‐factor authentication  Mitigation Strategy #12 – Software‐based application firewall, blocking incoming network traffic  Mitigation Strategy #13 – Software‐based application firewall, blocking outgoing network traffic  Mitigation Strategy #14 – Non‐persistent virtualised sandboxed trusted operating environment  Mitigation Strategy #15 – Centralised and time‐synchronised logging of successful and failed computer events  Mitigation Strategy #16 – Centralised and time‐synchronised logging of allowed and blocked network activity  Mitigation Strategy #17 – Email content filtering  Mitigation Strategy #18 – Web content filtering  Mitigation Strategy #19 – Web domain whitelisting for all domains  Mitigation Strategy #20 – Block spoofed emails  Mitigation Strategy #21 – Workstation and server configuration management  Mitigation Strategy #22 – Antivirus software using heuristics and automated Internet‐based reputation ratings  Mitigation Strategy #23 – Deny direct Internet access from workstations  Mitigation Strategy #24 – Server application configuration hardening  Mitigation Strategy #25 – Enforce a strong passphrase policy  Mitigation Strategy #26 – Removable and portable media control5  Mitigation Strategy #27 – Restrict access to Server Message Block (SMB) and NetBIOS  Mitigation Strategy #28 – User education  Mitigation Strategy #29 – Workstation inspection of Microsoft Office files  Mitigation Strategy #30 – Signature‐based antivirus software  Mitigation Strategy #31 – TLS encryption between email servers  Mitigation Strategy #32 – Block attempts to access websites by their IP address  Mitigation Strategy #33 – Network‐based Intrusion Detection/Prevention System  Mitigation Strategy #34 – Gateway blacklisting  Mitigation Strategy #35 – Capture network traffic http://www.asd.gov.au/infosec/mitigationstr ategies.htm
  • 53. Summary  There are many security controls that can benefit from checkin to SCM  Basic Security template testing and deploying can benefit from DevOps mentality  HIPS / FW rule tuning testing and deploying can benefit from DevOps mentality  App Whitelisting rule tuning testing and deploying can benefit from DevOps mentality  OS Patching testing and deploying can benefit from DevOps mentality  App patching testing and deploying can benefit from DevOps mentality  USB Monitor tuning testing and deploying can benefit from DevOps mentality  Local admin group membership testing and deploying can benefit from DevOps mentality
  • 54. Takeaways  DevOps is a culture about speed, scale and automation  Infosec should use the techniques of checkin / checkout / automatic deploy / report  The automation has been maturing for over ten years (VisOps 2004, CI 2006)  Developers with an interest in Security are driving the DevSecOps/DevSecCon movement  Stephen de Vries & Gareth Rushgrove are pushing forward “Test Driven Security Controls”
  • 55. Time is precious thank you for yours James
  • 56.  VisualOps Handbook & VisualOps Security – Gene Kim, Kevin Behr, George Spafford & Paul Love  Extreme Programming Explained – Kent Beck  Continuous Delivery – Jez Humble & David Farley  One Minute Manager meets the Monkey – Ken Blanchard  The Goal – Eliyahu M. Goldratt  The Phoenix Project – Gene Kim, Kevin Behr, George Spafford  Adventures of an IT Leader - Robert D. Austin, Shannon O'Donnell, Richard L Nolan  Dev Ops 2.0 Toolkit - Viktor Farcic  Pro Vagrant - Włodzimierz Gajda  Ansible for DevOps - Jeff Geerling  Ry’s GIT Tutorial - Ryan Hodson  Site Reliability Engineering - Betsy Beyer and Chris Jones  Infrastructure as Code - Kief Morris  The Art of Monitoring – James Turnbull  Logging and Log Management - by Anton Chuvakin, Kevin Schmidt, Chris Phillips  Ruby on Rail s Tutorial – Michael Hartl  Crafting the Infosec Playbook - Jeff Bollinger and Brandon Enright  Building a cyber fortress – Alexander Sverdlov Booklist