LONDON 2015Join the conversation #devseccon

Securing Innovation @ Speed & Scale via DevSecOps

DEVSECCON LONDON 2015@devsecops

Who am I?

• 25+ yrs Technology & Security Experience• Background in Security R&D•Working with the Cloud before it was called the “Cloud”•Manage teams using DevOps, Agile & Scrum• Incident Response & Crisis Management

-- FOUNDER --

The Race for Competitive Advantage…Indicators that demonstrate change:• Tailoring business to the needs of customers

to achieve large-scale business returns is driving Cloud & DevOps adoption• Small businesses and entrepreneurs are

enabled to compete in complex business models with boutique appeal against Enterprises• High performing teams are being developed

and incubated in Enterprises to mimic the DevOps teams found in Start-ups.

Startups on the Rise in 2015…

From 1996 to 2015:• Increase in Startups in

2015, shows rebound• Entrepreneurs over 55

has nearly doubled• Significant Rise in

Immigrant Entrepreneurs

• New Entrepreneurs are on the rise again

• More men than women are becoming first time Entrepreneurs

kauffman.org

DevOps Growth…Google Trends• DevOps.com was bought in

2004• Google searches for “DevOps”

started to rise in 2010• Major influences:

• Saving your Infrastructure from DevOps / Chicago Tribune

• DevOps: A Culture Shift, Not a Technology / Information Week

• DevOps: A Sharder’s Tale from Etsy

• DevOps.com articles

• RuggedSoftware.org was bought in 2010

https://www.google.com/trends/

Cloud Security Boom…• Cloud Platform security

features are on the rise the last few years

• Security in the Cloud is becoming the norm

• Default configurations are still not quite there but will become the focus with growing thought leadership

• Cloud Provider’s must solve for providing security features that scale

• Security teams need to learn to use these features quickly 2007 2008 2009 2010 2011 2012 2013 2014 2015

48 6182

159

280

514

?

AWS re:Invent 2015

Big Data?• Reflecting on this

2013 article• Devices & IoT

drive bigger data• Instrumentation

<- Security needs this• Asset

management & monitoring• Service Support

http://www.enterprisecioforum.com/big-data-case-study-utilities/

DevOps increases speed & scale…

This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry.

http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security

So what hinders “secure” innovation @ speed & scale?1. Friction for friction’s sake2. Manual processes & meeting culture3. Point in time assessments4. Decisions being made outside of value creation5. Contextual misunderstandings6. Late constraints and requirements7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration10.Management and political interference (approvals, exceptions)

And then there’s… Security & Compliance!

• The discipline is very complex

• Majority of the Security Industry is Vendor dependent

• Requires Meetings, Appointments, and Point in Time evaluations with low context

• Requirements are dependent on what is developed

• The art of “No” has become its own science

Can Security evolve?

OPSSECDEV

Com

plia

nce

Oper

ation

s

Secu

rity

Ope

ratio

ns

Security Science

Security Engineerin

g

NEW

NEW

NEW

• Security as Code• Self-Service Testing• Red Team/Blue Team• Inline Enforcement• Analytics & Insights• Detect & Contain• Incident Response• Investigations• Forensics

AppSec

What’s the DevSecOps Mission?

…creating targeted customer value

through secure iterative innovation

at speed & scale …Security is Everyone’s

Job!

What should we value to evolve Security for DevOps?

Leaning in over Always Saying “No”Data & Security Science over Fear, Uncertainty and Doubt

Open Contribution & Collaboration over Security-Only RequirementsConsumable Security Services with APIs over Mandated Security Controls &

PaperworkBusiness Driven Security Scores over Rubber Stamp Security

Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities

24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident

Shared Threat Intelligence over Keeping Info to OurselvesCompliance Operations over Clipboards & ChecklistsIn essence, don’t waste people’s time with

Fear -> Uncertainty -> Doubt devsecops.org

Imagine adding Security into the DevOps pipeline…

Security Self-Service

skills Biz UX Dev Data App Sec Sec Eng Science Comp Ops Sec Ops Ops Training

Software & Infrastructure Platforms

Software Components & Resources

YOUR APP STACK GOES HERE

Operational Tools & Monitoring

collaboration, partnership, value creation, self-service[DevOps, Agile, Scrum, Cloud]

The Art of DevSecOps (Security View)

DevSecOps

Security Engineering

Experiment, Automate, Test

Security Operations

Hunt, Detect, Contain

Compliance Operations

Respond, Manage, Train

Security Science

Learn, Measure, Forecast

Can we make it simple? Yes!• Smaller Teams• Smaller Services• Smaller Failures• Rest APIs drive culture• Customer focus• Deep problem understanding throughout org• Deliberate dedication to solving and simplifying tech

challenges• Products and Services have security built-in along the

supply chain• Security removes barriers and roadblocks as self-service for

DevOps• Managers map, magnify and multiply to create culture

blast radius

How can we get started?Small Project Migration Big Project

Approach is tailored to small experiments and pipeline testing.

Pros:• Requires DevOps Approach• Fast failures• Team learns to collaborate• Higher Productivity, Less waste

Cons:• Skill shortages• Team needs vision to avoid

micro-focus churn

Approach allows organization to map and adjust for what they already know.

Pros:• Allows companies to keep

operating while teams figure out what’s needed

Cons:• Overload• Can be slower to accomplish

completion• Failures can become complex

Approach is “all-in” and used to transform an organization as a whole.

Pros:• Firm commitment alleviates

political back and forth• Focus & All-in Speed

Cons:• Bigger Failures• Difficult for everyone to learn

from mistakes and experiments

Small Project -> The ProvocationHow can we transform a control into a self-aware, self-reporting, self-healing component that can be consumed at speed & scale?Our challenge is to begin the process of creating self-aware and self-reporting components. This process can be achieved using configuration management tools, open source and log management systems.  Let’s work with the IA Controls from NIST 800-53 today and use the implementation of MFA as an example. Specifically, IA-2 calls for multi-factor authentication which is available in some Software Defined Environments as a feature.  Let’s look at how we can enable MFA within our Stack and the different use cases that are present and require security baseline components.  Questions to answer:

1. How can baseline components be shared and extended?2. Once the component is ready to be used, implemented, then what?  3. What about the feedback loop?  4. What is the best way to create an automated report that is continuously built and maintained?5. How can we report across a full-stack?6. What tools can assist?

FW ?

Web ?

Compliance at Velocity (https://medium.com/compliance-at-velocity)

Migrations -> One foot in… One foot out...

Web

App

Web

DB

App

DB

Traditional IT & Security DevOps + DevSecOps

FW/IDS FW/IDS

ELB

App

ELB

DBAAS

App

DBAAS

Big Project -> The Hail Mary

Web

App

Web

DB

App

DB

Traditional IT & Security DevOps? + DevSecOps?

FW/IDS FW/IDS

Web

App

Web

DB

App

DB

FW/IDS FW/IDS

What is this?

Why is approach so important?

API KEY EXPOSURE -> 8 HRS

DEFAULT CONFIGS -> 24 HRS

SECURITY GROUPS -> 24 HRS

ESCALATION OF PRIVS -> 5 D

KNOWN VULN -> 8 HRS

So let’s recap before we move on to examples…

DevSecOps needs:• Active Collaboration• High Engagement• Experimentation• Open Contribution • Fail Fast Culture• Ability to adapt and learn• DevOps Understanding• Focusing on Simplicity

Not this one…

This one!!

Perimeter Testing

THENPCI DSS1.1.1 – Approve/Test/Detect firewall changes

NOWScan API, Ingest Config/Cloudtrail, trigger firewall audits and revert unapproved changes to heal to spec

Labor: 40 hours/Annually Tools: Excel, Text Pad, Open Source or Commercial Config Management

Labor: 40 hours/First Year, 8 hours per yr maintainTools: APIs, Logs, Open Source, Commercial

Measure: Certify annuallyImpact: High

Measure: Mean time to Detection, Mean time to ResolveImpact: Depends on Resource

Configuration Management/Baselines

THENPCI DSS2.2 - Develop & Assure configuration standards for all system components.

NOWTrack known good CF stacks & AMIs, alert or neutralize non-compliant/non-approved deploys

Labor: 40 hours/Annually/Per Major Component Tools: Excel, Text Pad, Open Source or Commercial Config Management

Labor: 40 hours/First Year, 1 hour per yr maintain/PerComponentTools: APIs, Logs, Open Source, Commercial

Measure: Certify annuallyImpact: High

Measure: Mean time to Detection, Mean time to ResolveImpact: High

Encrypting Sensitive Data

THENHIPAA 164.312(a)(2)(iv): Implement a method to encrypt and decrypt electronic protected health information.

NOWEnforce encryption of all assets by platform or data classification tags. Continuous enforcement and automated detection.

Labor: 1 FTE minimum per 3 DevOps TeamsTools: Commercial, Open Source

Labor: 8 hoursTools: APIs, Logs, Open Source, Commercial

Measure: Certify annuallyImpact: High

Measure: Mean time to Detection, Mean time to ResolveImpact: High

Access Management

THENNIST800-53 AC2(12) – Monitors and report atypical usage of information system accounts.

NOWCloudtrail/Config user attribution of use/abuse, ability to reduce team size and allow for smaller containers

Labor: 1 FTE minimum Tools: Commercial, Open Source

Labor: 40 hours Dev, 8 hours MaintainTools: APIs, Logs, Open Source, Commercial

Measure: Certify quarterly, annuallyImpact: High

Measure: Mean time to Detection, Mean time to ResolveImpact: High

Multi-Factor Authentication

THENNIST800-53 IA-2 – The information system uniquely identifies and authenticates organizational users

NOWMFA built into APIs and Cloud Platforms can be exposed for authorization decisions

Labor: 1 FTE minimumTools: Commercial, Open Source

Labor: 1 hour per weekTools: APIs, Logs, Open Source, Commercial

Measure: Certify annuallyImpact: High

Measure: Mean time to ResolveImpact: High

Global Call to Action 2015

Get Involved and Join the Community• devsecops.org• @devsecops on Twitter• DevSecOps on LinkedIn• DevSecOps on Github• RuggedSoftware.org• Compliance at Velocity• Join Us !!!• Spread the word!!!