Join the conversation #devseccon

By Colin Domoney

How does a traditional security team cope with a move to DevOps?

About MeContact Information

https://www.linkedin.com/in/colindomoney

@colindomoney

cdomoney@Veracode.com

Our Storyboard

• Building a Security Team•How Not to Engage with Development and Operations•Developers are from Mars, Security are from Venus•What We Did Differently

What I Thought I Needed …Name: Crash “I void warranties” OveRide

What My Human Resources Brought Me …Name: Jordan Belfort CISSP, CSSLP, CISM, CISA, CIPT, CIPM, CEH, OSCP, PTO …

What I Actually Needed …

LONDON, ENGLANDFriday, 17h37

Let’s meet our hero – our Developer

The town sheriff – the Operations team

The monster – the Security team

”Security Gate”

Development UAT/SIT Production

REACTIVE“Non compliant”“Not meeting policy”“Blocked”“Exception from senior management”“Risk acceptance”“30 day deadline”“Risk assessment”

PROACTIVE“Let’s discuss a remediation plan”“Here’s a Wiki page on dealing with that”“You’re using a vulnerable component”“Here’s a code sample that shows you how”“There’s a new version of that library”“You should do a new static scan”“You’ve fixed all your flaws”

PRAGMATICDon’t do ”check box complianceNegotiate a timescale for remediationAppreciate not all flaws need to be fixedPrioritise remediation activityEnd goal is risk reduction, not compliance

• Able to communicate with the Developers• Understood their release cycles, environments, challenges• Identified common ‘anti-patterns’ in their software• Provided code snippets and remediation guidance• Identified ’second party’ components and their owners• Identified vulnerable OSS and COTS packages• Pragmatic approach to remediation• Use new technology when relevant

What Did We Do Differently

What Does The Future Look Like?

Help Developers to Help Themselves

Join the conversation #devseccon

Thanks for your time!

Visit us on the stand, or contact me for further

information.