Post on 14-Apr-2017
1 Intuit Confidential and Proprietary1
Safely Removing the Last Roadblock to Continuous Delivery
Shannon LietzDirector DevSecOps, Intuit@devsecops
2
Thanks to Henrik Kniberg
When will you solve my problem?!! Can we discuss my feedback?
(Uh - seatbelts?)
A Traditional Supply Chain
3
Thanks to Henrik Kniberg
Awesome!When can I bring my kids with me?Does it come in Red?
Can this be motorizedto go faster and for longer trips?
Better than walking, for sure…but not by much...
A Customer Centric Supply Chain
Shifting left solves problems faster…
4
Google Trends• Several years after the Agile
Manifesto, DevOps.com was registered (2004)
• Google searches for “DevOps” started to rise in 2010
• Major influences:– Saving your Infrastructure
from DevOps / Chicago Tribune
– DevOps: A Culture Shift, Not a Technology / Information Week
– DevOps: A Sharder’s Tale from Etsy
– DevOps.com articles• RuggedSoftware.org
was registered in 2010https://www.google.com/trends/
DEVOPS ROCKS!!!
5
Business strategy is achieved with the collaboration of all departments and
providers in service to the customer who requires better, faster, cheaper, secure
products and services.
What’s the Business benefit?
DID YOU SAY SECURE ??!!!
6
1. Manual processes & meeting culture2. Point in time assessments3. Friction for friction’s sake4. Contextual misunderstandings5. Decisions being made outside of value creation6. Late constraints and requirements7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration10. Management and political interference (approvals, exceptions)...
So what hinders “secure” innovation @ speed & scale?
SECURITY IS LAST MINUTE
UNPLANNED, UNSCHEDULED
WORK… BUMMER!!!!
9
Com
plia
nce
Ope
ratio
ns
Secu
rity
Ope
ratio
ns Securi
ty Scie
nce
Security
Engineerin
g
OPSSECDEV
AppSec
How do we get started?
10
Secure Software Supply Chain 1. Gating processes are not Deming-like2. Security is a design constraint3. Decisions made by engineering teams
4. It’s hard to avoid business catastrophes by applying one-size-fits-all strategies
5. Security defects is more like a security “recall”
design build deploy operate
How do I secure my app?
What component is secure enough?
How do I secure secrets
for the app?
Is my app getting attacked? How?
Typical gates for security
checks & balances
Mistakes and drift often happen after design and build phases that
result in weaknesses and potentially exploits
Most costly mistakesHappen during design
Faster security feedback loop
11
Staffing Models
Typical Traditional Supply Chain Ratio DevOps Staffing
100 Dev10 Ops1 Sec
15 Teams+
Governance
12
• Everyone knows Maslow…• If you can remember 5 things,
remember these ->
“Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”
Simplifying Security for the Masses
13
Reasonable Security was recently defined for California within the 2016 California Data Breach Report.
“The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
Why Governance?
14
Migrating Security to the Left…
design build deploy operate
How do I secure my app?
What component is secure enough?
How do I secure secrets
for the app?
Is my app getting attacked? How?
Typical gates for security
checks & balances
Mistakes and drift often happen after design and build phases that
result in weaknesses and potentially exploits
Most costly mistakesHappen during design
Faster security feedback loop
Security is a Design Constraint
15
Monitor & Inspect Everything
insightssecuritysciencesecurity
tools & data
Cloud accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel
SPEED MATTERS
security feedback loop continuous response
oper
ate
16
depl
oy
Safe Continuous Deployment
Clo
ud P
rovi
der N
etw
ork
Backbone
Backbone
Cloud Platform (Orchestration)
Network Compute Storage
Internet
Clo
ud A
ccou
nt(s
)
Load Balancers
ComputeInstances
VPCs
Block Storage
Object Storage
RelationalDatabases
NoSQLDatabases
Containers
ContentAcceleration
Messaging Email
Utilities
Key Management
API/Templates
Certificate Management
PartnerPlatform
Deployment Bundles
In S3
Artifacts
In Nexus/S3
safe deployment process secured accounts & services
17
build
Fanatical Security Testing
dynamic run-timestatic
UX & Interfaces
Micro Services
Web ServicesCode
CFnTemplates
BuildArtifacts
DeploymentPackages
Resources
Patterns &Baselines
SecurityGroups
AccountConfiguration
Real-Time Updates
Patterns &Baselines
18
desi
gn
Secure Baselines & Patterns
templates resourcespatterns services
Security Monitoring
Egress Proxy CFn Template
Bastion CFn Template
Secure VPC CFn Template
CloudTrail CFn Template
SecretsBundle
MarketPlace
20
Red Team, Security Operations & Science
API KEY EXPOSURE ->
8 HRS
DEFAULT CONFIGS ->
24 HRS
SECURITY GROUPS -> 24 HRS
ESCALATION OF PRIVS ->
5 D
KNOWN VULN ->
8 HRS
21
Compliance Operations as Continuous Improvement
https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf