Final Boarding for DevOps! You Don’t Have to Go Home, but · PDF fileH.R. 5793...
-
Upload
truongnhan -
Category
Documents
-
view
212 -
download
0
Transcript of Final Boarding for DevOps! You Don’t Have to Go Home, but · PDF fileH.R. 5793...
SESSION ID:SESSION ID:
#RSAC
Joshua Corman
Final Boarding for DevOps!You Don’t Have to Go Home, but…
ASD-T09F
Founder | Director I am The Cavalry | Cyber Statecraft Initiative, Atlantic Council@joshcorman @iamthecavalry @RuggedSoftware
#RSAC
#RSAC
#RSAC
#RSAC
Session ID:
Session Classification:
Joshua Corman & Gene Kim
Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed…
CLD-106
Intermediate
#RSAC
SESSION ID:
Gene Kim Joshua Corman
Rugged DevOpsGoing Even Faster
With Software Supply Chains
CTO
Sonatype
@joshcorman
Researcher and Author
IT Revolution Press
@RealGeneKim
#RSAC
SESSION ID:
David Mortman Joshua Corman
Continuous Security: 5 Ways DevOps Improves Security
ASD-T07R
CTO
Sonatype
@joshcorman
Chief Security Architect & Distinguished Engineer
Dell Software
@mortman
#RSAC
8
#RSAC
The New Lifecycle
9
Impact onReleases per Year
(Cycle Time)1-2
10-20
100-200
Plan Design Deploy OperateTestBuild
Traditional Lifecycle (Waterfall)
Plan ...
Learn
Deploy
Learn
Operate
Agile Dev
Learn
Plan ...Operate Operate
Modern Lifecycle (+DevOps, Continuous *)
Cycle Time: Months-Years
Cycle Time: Days-Weeks
Cycle Time: Minutes-Hours
#RSAC
1) Instrumentation
1) Instrumentation! #DevOps instruments EVERYTHING & Security can use it in MANY ways @joshcorman #RSAC #DevOps
#RSAC
2) Be Mean To Your Code!
2) Be Mean To Your Code! To avoid failure; fail all the time #ChaosMonkey #Gauntlt#BrakeMan @joshcorman #RSAC #DevOps
#RSAC
3) Complexity Is Enemy of “All The Things”! All #DevOps parties benefit from reducing complexity @joshcorman #RSAC
#RSAC
All of Chuck Norris’s Change Controls are Full Cycle and they’re always approved! @joshcorman #RSAC #DevOps
#RSAC
Madame CISO, Tear Down This Wall! #RSAC #DevOps @joshcorman
#RSAC
#RSAC
Triggers…
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
NationState
OrgCrime Current
DEFENSE
#RSAC
NationState
OrgCrime
Sub-Nation
al
Hacktivist
Lone Wolf
CurrentDEFENSE
FutureDEFENSE
#RSAC
#RSAC
CC : From: http://www.flickr.com/photos/maiabee/2760312781/
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
CC : From: http://www.flickr.com/photos/maiabee/2760312781/
#RSAC
https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
For the 41%390 daysCVSS 10s 224 days
#RSAC
40
#RSAC
H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”
Procurement Trio
1) Ingredients:
Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions)
2) Hygiene & Avoidable Risk:
…and cannot use known vulnerable components without justification
3) Remediation:
…and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
#RSAC
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
TRUE COSTS (& LEAST COST AVOIDERS)
#RSAC
X Axis: Time (Days) following initial HeartBleed disclosure and patch availabilityY Axis: Number of products included in the vendor vulnerability disclosureZ Axis (circle size): Exposure as measured by the CVE CVSS score
COMMERCIAL RESPONSES TO OPENSSL
#RSAC
#RSAC
AT WHICH POINT… SW LIABILITY?
HHS Task
Force
FDA
GuidanceDOJ Work
Group
DOD
Policy
EU
Guidance
DOC/NTIA
Guidance
Presidential
Commissio
n ReportFTC
Guidelines
Congression
al Letters
DOT
Principles
NHTSA
Guidance
DHS
Guidance
Food and Drug
Administration
Department of
Homeland
Security
Department of
Transportation
Department of
Commerce
Presidential
Commission
Report
Presidential
Commission
Report
#RSAC
Triggers…
#RSAC
Uncomfortable Truths Require Uncomfortable Response
Joshua Corman@joshcorman Director | Cyber Statecraft Initiative
#RSAC
“Apply” Slide
55
Read:The Phoenix Project – Gene Kim
DevOps Cookbook/Handbook – Gene Kim ++
Continuous Deliver – Jez Humble
Lean Enterprise – Jez Humble
Get Involved:@RuggedSoftware – www.ruggedsoftware.org
@RuggedDevOps
@DevSecOps
Attend:DevOpsDays [in YOUR City]
DevOpsEnterpriseSummit (DOES 2017)
#RSAC
“Apply” Slide
56
Review:DHS Strategic Principles For Securing The Internet Of ThingsFDA Postmarket Management of Cybersecurity in Medical DevicesNHTSA Cybersecurity Best Practices for Modern VehiclesDOD Digital Vulnerability Disclosure PolicyWhite House President’s Commission Report on Enhancing National Cybersecurity— Testimony to President’s Commission on Enhancing National Cybersecurity by Joshua Corman
Commerce NTIA Department of Commerce Multistakeholder Process: Cybersecurity Vulnerabilities
Consider the 6 ways Safety IoT are differenthttps://www.iamthecavalry.org/iotdifferences/
Review the 5 Star Cybersafety Framework and Hippocratic Oathhttps://www.iamthecavalry.org/5star/
https://www.iamthecavalry.org/oath/
#RSAC
Thank you!
@joshcorman