Colin Domoney -
-
Upload
devseccon-limited -
Category
Presentations & Public Speaking
-
view
167 -
download
0
Transcript of Colin Domoney -
Join the conversation #devseccon
By Colin Domoney
How does a traditional security team cope with a move to DevOps?
About MeContact Information
https://www.linkedin.com/in/colindomoney
@colindomoney
Our Storyboard
• Building a Security Team•How Not to Engage with Development and Operations•Developers are from Mars, Security are from Venus•What We Did Differently
What I Thought I Needed …Name: Crash “I void warranties” OveRide
What My Human Resources Brought Me …Name: Jordan Belfort CISSP, CSSLP, CISM, CISA, CIPT, CIPM, CEH, OSCP, PTO …
What I Actually Needed …
LONDON, ENGLANDFriday, 17h37
Let’s meet our hero – our Developer
The town sheriff – the Operations team
The monster – the Security team
”Security Gate”
Development UAT/SIT Production
REACTIVE“Non compliant”“Not meeting policy”“Blocked”“Exception from senior management”“Risk acceptance”“30 day deadline”“Risk assessment”
PROACTIVE“Let’s discuss a remediation plan”“Here’s a Wiki page on dealing with that”“You’re using a vulnerable component”“Here’s a code sample that shows you how”“There’s a new version of that library”“You should do a new static scan”“You’ve fixed all your flaws”
PRAGMATICDon’t do ”check box complianceNegotiate a timescale for remediationAppreciate not all flaws need to be fixedPrioritise remediation activityEnd goal is risk reduction, not compliance
• Able to communicate with the Developers• Understood their release cycles, environments, challenges• Identified common ‘anti-patterns’ in their software• Provided code snippets and remediation guidance• Identified ’second party’ components and their owners• Identified vulnerable OSS and COTS packages• Pragmatic approach to remediation• Use new technology when relevant
What Did We Do Differently
What Does The Future Look Like?
Help Developers to Help Themselves
Join the conversation #devseccon
Thanks for your time!
Visit us on the stand, or contact me for further
information.