The New Ways of Chaos, Security, and DevOps
•
2 likes•501 views
VMware Thought Leadership Series: The New Ways of Chaos, Security, and DevOps Abstract: DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and DevOps closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to The New Ways of Chaos, Security, and DevOps
Similar to The New Ways of Chaos, Security, and DevOps (20)
More from James Wickett
More from James Wickett (11)
Recently uploaded
Recently uploaded (20)
The New Ways of Chaos, Security, and DevOps
- 1. THE NEW WAYS OF CHAOS SECURITY & DevOps @WICKETT
- 2. JAMES WICKETT Sr. Sec Eng & Dev Advocate @ Verica Author, LinkedIn Learning Organizer, DevOps Days Austin, Serverless Days ATX, DevSecOps Days Austin Author, DevSecOps Handbook (In progress) @wickett
- 5. VERICA.IO An enterprise platform for Continuous Verification, using Chaos Engineering principles, to take a proactive and measured approach to preventing availability and security incidents. @wickett
- 7. credit to Josh Zimmerman, the original DevOps Jack Handy
- 10. FIRST, UNDERSTAND DEVOPS AND HOW WE GOT HERE @wickett
- 13. DATASo Big Right Now @wickett
- 16. YASSS! OPS (and security) FOR FREE!@wickett
- 17. DevOps grew hand-in-hand with cloud @wickett
- 19. DevOps is the inevitable result of needing to do efficient operations in a distributed computing and cloud environment. Tom Limoncelli @wickett
- 20. DevOps is an epistemological breakthrough joining disparate people around a common problem @wickett
- 21. DevOps was needed to fix the inequitable distribution of labor @wickett
- 23. DevOps is not a technological problem. DevOps is a business problem. - Damon Edwards @wickett
- 24. DevOps is just another waypoint on Agile's journey across the business @wickett
- 25. DevOps is the application of Agile methodology to system administration — The Practice of Cloud System Administration Book @wickett
- 26. Ok DevOps, that's fine. But why DevSecOps? @wickett
- 27. I ASKED MYSELF THIS SAME QUESTION @wickett
- 28. @wickett
- 29. Security finds itself in the same position that operations did in the movement of DevOps @wickett
- 32. Security, like ops struggles to provide value in most organizations @wickett
- 33. Companies are spending a great deal on security, but we read of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting the wrong things, and we’re hurting productivity in the process. @wickett
- 34. [Security by risk assessment] introduces a dangerous fallacy: that structured inadequacy is almost as good as adequacy and that underfunded security efforts plus risk management are about as good as properly funded security work @wickett
- 35. While engineering teams are busy deploying leading-edge technologies, security teams are still focused on fighting yesterday’s battles. SANS 2018 DevSecOps Survey @wickett
- 36. 95%OF SECURITY PROFESSIONALS SPEND THEIR TIME PROTECTING LEGACY APPLICATIONS @wickett
- 37. TECH BURDEN CAN ONLY BE TRANSFERRED @wickett
- 38. SECURITY BURDEN IS NOT CREATED OR DESTROYED, MERELY TRANSFERRED @wickett
- 39. "MANY SECURITY TEAMS WORK WITH A WORLDVIEW WHERE THEIR GOAL IS TO inhibit change AS MUCH AS POSSIBLE" @wickett
- 40. New technology (cloud, k8s, serverless, ...) and increased organization focus on software delivery is why we need DevSecOps. @wickett
- 41. A Highly Desireable New Breed: THE DEVSECOP @wickett
- 42. ...not a tool …not a CI/CD pipeline with security in it ...can’t be bought on an expo floor @wickett
- 43. An inclusive person participating in the movement of security into devops. @wickett
- 46. MEASURE DEVSECOPS Maker Driven Experimenting Automating Safety Aware Unrestrained Sharing Ruggedizing Empathy First
- 47. MEASURE @wickett
- 49. We are software engineers who specialize in a specific discipline: security @wickett
- 50. SECURITY MUST BE ABLE TO WRITE CODE@wickett
- 51. Why is this considered a hot take in our industry? @wickett
- 52. With all the resources available today... @wickett
- 55. SECURITY ALREADY USES DSLS @wickett
- 57. The Entire Security Team Must Write Code Shannon Lietz, Intuit Aaron Rinehart, United Health Group @wickett
- 58. WHY IS THIS IMPORTANT? ▸ Empathy building ▸ Familiarity with tools ▸ Able to move up the pipeline @wickett
- 59. A BUG IS A BUG IS A BUG @wickett
- 60. Defect Density studies range from .5 to 10 defects per KLOC @wickett
- 61. DEFECT DENSITY IS NEVER ZERO @wickett
- 62. But my application is just a few lines of code @wickett
- 63. 222 Lines of Code 5 Direct Dependencies 54 total deps (including indirect) (example from snyk.io) @wickett
- 67. You cannot train developers to write secure code @wickett
- 68. INSTEAD, FOCUS ON METHODS DEVELOPERS USE ▸ TDD/BDD/ATDD ▸ Meaningful comments/commits ▸ Code Smells, Refactoring ▸ Instrumentation @wickett
- 69. The goal should be to come up with a set of automated tests that probe and check security configurations and runtime system behavior for security features that will execute every time the system is built and every time it is deployed.
- 70. Security is connected with quality @wickett
- 73. MAKER DRIVEN means ▸ See security as part of engineering ▸ View quality as a way to bring security in ▸ Use code, not vendors to solve problems @wickett
- 74. MEASURE @wickett
- 76. BENEFITS TO EXPERIMENTATION ▸ Measured, Repeatable ▸ Results based on your needs @wickett
- 77. @wickett
- 78. DETECT WHAT MATTERS ▸ Account takeover attempts ▸ Areas of the site under attack ▸ Most likely vectors of attack ▸ Business logic flows ▸ Abuse and Misuse @wickett
- 79. We can't cede home field advantage — Zane Lackey @wickett
- 80. EXPERIMENTING NECESSITATES UNDERSTANDING STEADY STATE @wickett
- 81. RESOURCES ▸ Shannon Lietz (@devsecops) ▸ DOES 2018 Talk: youtu.be/ yuOuVC8xljw @wickett
- 82. MEASURE @wickett
- 84. @wickett
- 85. @wickett
- 86. AUTOMATION PROVIDES FEEDBACK ▸ Pre-commit ▸ At build ▸ Deploy ▸ Runtime @wickett
- 87. @wickett
- 88. Continuous Delivery is how little you can deploy at one time — Jez Humble & David Farley @wickett
- 89. At Signal Sciences, we optimized total cycle time--from code commit to running in prod @wickett
- 90. 15,000 DEPLOYS IN 3.5 YEARS @wickett
- 91. SECURITY IN THE PIPELINE ▸ Software composition analysis ▸ Lang linters, git-hound, ... ▸ Scanners, gauntlt ▸ Monitoring and telemetry @wickett
- 92. [Deploys] can be treated as standard or routine changes that have been pre-approved by management, and that don’t require a heavyweight change review meeting.
- 96. MEASURE @wickett
- 98. Two Stories of Failure @wickett
- 100. @wickett
- 101. 5 Why's and Linear Questioning is Flawed @wickett
- 102. WE ABSTRACT COMPLEXITY ▸ Human beings ▸ Societial issues ▸ Psychological issues ▸ Cognitive load @wickett
- 103. SOFTWARE DEALS WITH COMPLEXITY THROUGH ABSTRACTION @wickett
- 104. ROOT CAUSE IS A MYTH ▸ Lacks full picture ▸ Blame culture ▸ Forgets organizational decisions ▸ Puts the focus on the event over situation ▸ Complex systems are not linear @wickett
- 105. Drifting into failure is a gradual, incremental decline into disaster driven by environmental pressure, unruly technology and social proccesses that normalize growing risk. No organization is exempt from drifting into failure
- 106. BOEING 737MAX ▸ Maneuvering Characteristics Augmentation System (MCAS) keeps the bigger plane from stalling ▸ The MCAS is automation software ▸ In certain situations, MCAS commands the trim in this condition without notifying the pilots @wickett
- 107. These events unfolded in minutes, at low altitudes right after takeoff, asking pilots to realize, understand, and respond to why their aircraft was silently fighting their inputs
- 108. in a context of being told that the “system” they were operating was pretty much like every other 737 they’d been likely to operate in their careers, ever. @jpaulreed
- 109. This new safety automation is capable of overriding operator input in silence and in ways that were poorly documented by designers, unclear to operators, and promised by developers
- 110. that nobody had to get new training on — a selling point — and this safety automation proved to cause the system to become critically unrecoverable in, at least, one case. -- @jpaulreed
- 111. HIGH-SPEED DECISIONS ABOUT SYSTEMS, SOUND FAMILIAR? @wickett
- 112. SOFTWARE IS EATING THE WORLD @wickett
- 113. The growth of complexity in society has got ahead of our understainding of how complex systems work and fail
- 114. @wickett
- 115. @wickett
- 116. Operations and Security's burden to rationalize system models @wickett
- 117. Failures are a systems problem because there is not enough safety margin. — @adrianco
- 118. Failure is an inevitable by- product of a complex system's normal functioning
- 119. WHERE SECURITY FITS ▸ Add safety margin ▸ Telemetry and instrumentation ▸ Blameless retros ▸ ...more to explore in this area @wickett
- 120. RESOURCES ▸ Drift into Failure by Dekker ▸ Understanding Human Error Video Series youtu.be/Fw3SwEXc3PU ▸ @jpaulreed coverage of Boeing medium.com/@jpaulreed ▸ Richard Cook paper bit.ly/2ydDQS2 @wickett
- 121. MEASURE @wickett
- 123. Culture is the most important aspect to devops succeeding in the enterprise — Patrick DeBois
- 124. DevSecOps is the extension of the DevOps culture for the inclusion of Security @wickett
- 125. A security team who embraces openness about what it does and why, spreads understanding. — Rich Smith
- 127. Unrestrained Sharing goes against security's standard operating procedure @wickett
- 130. FOUR KEYS TO CULTURE ▸ Mutual Understanding ▸ Shared Language ▸ Shared Views ▸ Collaborative Tooling @wickett
- 131. @wickett
- 132. SECURITY SHARES THROUGH ▸ Making invisible as visible ▸ Security Observability ▸ APIs, webhooks, dev tooling @wickett
- 133. Security Observability gives applications the ability to expose the attacks that are happening below the surface with feedback to devs, ops, and security. @wickett
- 134. A PAVED ROAD APPROACH ▸ Security as normal ▸ Security is "free" ▸ Jason Chan and Netflix
- 137. RESOURCES ▸ Phoenix Project ▸ Agile Application Security ▸ dearauditor.org @wickett
- 138. MEASURE @wickett
- 141. SOFTWARE BILL OF MATERIALS KNOW WHAT YOU HAVE @wickett
- 142. FAVOR SHORT LIVED SYSTEMS CATTLE NOT PETS @wickett
- 143. DIE FRAMEWORK ▸ Distributed ▸ Immutable ▸ Ephemeral ▸ source: @sounilyu @wickett
- 144. RUGGEDIZATION IN 2020 ▸ Deception ▸ Chaos Engineering @wickett
- 145. DECEPTION ▸ Honeypots, Tarpits, Mantraps ▸ Simple to get started (http headers) ▸ HoneyPy, DeceptionLogic @wickett
- 146. We’re moving from disaster recovery to chaos engineering to resiliency — @adrianco @wickett
- 147. [Chaos Engineering is] empirical rather than formal. We don’t use models to understand what the system should do. We run experiments to learn what it does. — Michael Nygard, Release It 2nd Ed. @wickett
- 148. CHAOS ENGINEERING ▸ Experiments that span eng and security ▸ Manual opt-out ▸ Valuable Learning ▸ ChaosSlingr, CHAP, ChaosMonkey @wickett
- 149. RESOURCES ▸ Aaron Rinehart's talk at RSA youtu.be/wLlME4Ve1go ▸ Release It! 2nd ed., Nygard ▸ Phillip Maddux's talk: youtu.be/k81xKjCEeqE ▸ Herb Todd's talk: youtu.be/Cf_XXmRLnRQ @wickett
- 150. MEASURE @wickett
- 154. "you want a machine powered off and unplugged" — Developer @wickett
- 156. DON’T BE A BLOCKER BE AN ENABLER @wickett
- 157. MEASURE DEVSECOPS Maker Driven Experimenting Automating Safety Aware Unrestrained Sharing Ruggedizing Empathy First