SESSION ID:SESSION ID:

#RSAC

Joshua Corman

Final Boarding for DevOps!You Don’t Have to Go Home, but…

ASD-T09F

Founder | Director I am The Cavalry | Cyber Statecraft Initiative, Atlantic Council@joshcorman @iamthecavalry @RuggedSoftware

#RSAC

#RSAC

#RSAC

#RSAC

Session ID:

Session Classification:

Joshua Corman & Gene Kim

Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed…

CLD-106

Intermediate

#RSAC

SESSION ID:

Gene Kim Joshua Corman

Rugged DevOpsGoing Even Faster

With Software Supply Chains

CTO

Sonatype

@joshcorman

Researcher and Author

IT Revolution Press

@RealGeneKim

#RSAC

SESSION ID:

David Mortman Joshua Corman

Continuous Security: 5 Ways DevOps Improves Security

ASD-T07R

CTO

Sonatype

@joshcorman

Chief Security Architect & Distinguished Engineer

Dell Software

@mortman

#RSAC

8

#RSAC

The New Lifecycle

9

Impact onReleases per Year

(Cycle Time)1-2

10-20

100-200

Plan Design Deploy OperateTestBuild

Traditional Lifecycle (Waterfall)

Plan ...

Learn

Deploy

Learn

Operate

Agile Dev

Learn

Plan ...Operate Operate

Modern Lifecycle (+DevOps, Continuous *)

Cycle Time: Months-Years

Cycle Time: Days-Weeks

Cycle Time: Minutes-Hours

#RSAC

1) Instrumentation

1) Instrumentation! #DevOps instruments EVERYTHING & Security can use it in MANY ways @joshcorman #RSAC #DevOps

#RSAC

2) Be Mean To Your Code!

2) Be Mean To Your Code! To avoid failure; fail all the time #ChaosMonkey #Gauntlt#BrakeMan @joshcorman #RSAC #DevOps

#RSAC

3) Complexity Is Enemy of “All The Things”! All #DevOps parties benefit from reducing complexity @joshcorman #RSAC

#RSAC

All of Chuck Norris’s Change Controls are Full Cycle and they’re always approved! @joshcorman #RSAC #DevOps

#RSAC

Madame CISO, Tear Down This Wall! #RSAC #DevOps @joshcorman

#RSAC

#RSAC

Triggers…

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

NationState

OrgCrime Current

DEFENSE

#RSAC

NationState

OrgCrime

Sub-Nation

al

Hacktivist

Lone Wolf

CurrentDEFENSE

FutureDEFENSE

#RSAC

#RSAC

CC : From: http://www.flickr.com/photos/maiabee/2760312781/

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

CC : From: http://www.flickr.com/photos/maiabee/2760312781/

#RSAC

https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

For the 41%390 daysCVSS 10s 224 days

#RSAC

40

#RSAC

H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”

Procurement Trio

1) Ingredients:

Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions)

2) Hygiene & Avoidable Risk:

…and cannot use known vulnerable components without justification

3) Remediation:

…and must be patchable/updateable – as new vulnerabilities will inevitably be revealed

#RSAC

ACME

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

TRUE COSTS (& LEAST COST AVOIDERS)

#RSAC

X Axis: Time (Days) following initial HeartBleed disclosure and patch availabilityY Axis: Number of products included in the vendor vulnerability disclosureZ Axis (circle size): Exposure as measured by the CVE CVSS score

COMMERCIAL RESPONSES TO OPENSSL

#RSAC

#RSAC

AT WHICH POINT… SW LIABILITY?

HHS Task

Force

FDA

GuidanceDOJ Work

Group

DOD

Policy

EU

Guidance

DOC/NTIA

Guidance

Presidential

Commissio

n ReportFTC

Guidelines

Congression

al Letters

DOT

Principles

NHTSA

Guidance

DHS

Guidance

Food and Drug

Administration

Department of

Homeland

Security

Department of

Transportation

Department of

Commerce

Presidential

Commission

Report

Presidential

Commission

Report

#RSAC

Triggers…

#RSAC

Uncomfortable Truths Require Uncomfortable Response

Joshua Corman@joshcorman Director | Cyber Statecraft Initiative

#RSAC

“Apply” Slide

55

Read:The Phoenix Project – Gene Kim

DevOps Cookbook/Handbook – Gene Kim ++

Continuous Deliver – Jez Humble

Lean Enterprise – Jez Humble

Get Involved:@RuggedSoftware – www.ruggedsoftware.org

@RuggedDevOps

@DevSecOps

Attend:DevOpsDays [in YOUR City]

DevOpsEnterpriseSummit (DOES 2017)

#RSAC

“Apply” Slide

56

Review:DHS Strategic Principles For Securing The Internet Of ThingsFDA Postmarket Management of Cybersecurity in Medical DevicesNHTSA Cybersecurity Best Practices for Modern VehiclesDOD Digital Vulnerability Disclosure PolicyWhite House President’s Commission Report on Enhancing National Cybersecurity— Testimony to President’s Commission on Enhancing National Cybersecurity by Joshua Corman

Commerce NTIA Department of Commerce Multistakeholder Process: Cybersecurity Vulnerabilities

Consider the 6 ways Safety IoT are differenthttps://www.iamthecavalry.org/iotdifferences/

Review the 5 Star Cybersafety Framework and Hippocratic Oathhttps://www.iamthecavalry.org/5star/

https://www.iamthecavalry.org/oath/

#RSAC

Thank you!

@joshcorman