DevSecOps Program Overview and Emerging Trends

establishing a devsecops program n.w
1 / 22
Embed
Share

Explore the journey of establishing a DevSecOps program, including insights from industry experts like Shannon Lietz. Discover the case for change in DevOps practices and the evolving landscape of cybersecurity trends, such as the integration of DevOps and security. Learn about the emergence of DevSecOps and how it addresses the challenges of scaling security in modern environments.

  • DevSecOps
  • Cybersecurity Trends
  • DevOps Practices
  • Shannon Lietz
  • Industry Experts
rayaanacharya
demilades Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Establishing a DevSecOps Program Shannon Lietz DevSecOps Leader & Sr. Mgr Cloud Security Engineering at Intuit Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  2. Who I am 25+ years Technology and Security Experience Background in Security R&D Working with the Cloud before it was called the Cloud Manage my teams using DevOps and Scrum IR & Crisis Management -- FOUNDER -- Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  3. How was DevSecOps discovered? Securing at the rate of Innovation Bang Head Here Pain Trial & Error Blood, sweat & tears Ouch, my head hurts! It would have been great to hear this talk a couple years ago . Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  4. Case for Change DevOps, Agile and Scrum on the rise Workload migrations to software defined environments . Enterprises increasingly turning to Public and Private Cloud Providers Talent migrating to progressive companies willing to embrace change Start-ups now have game changing capabilities available for rent Public Cloud Competitive landscape has been changing Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  5. What is DevSecOps? Problem Statement DevOps requires continuous Deployments Fast decision making is critical to DevOps success Traditional Security just doesn t scale or move fast enough Welcome DevSecOps!! Customer focused Mindset Scale, Scale, Scale Objective Criteria Proactive Hunting Continuous Detection & Response Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  6. Emerging Security Trends Shortage of Security Professionals Big companies are attempting to scale security to move faster: Facebook, Netflix, LinkedIn, AWS, Intuit Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason Chan, Gene Kim, Josh Corman Introduction of DevSecOps at MIRCon in 2014 SecDevOps at RSA 2015 was full day of dedicated content LinkedIn People Search: 8 DevSecOps, 7 SecDevOps, 7 DevOpsSec, 29k+ Cloud Security Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  7. The Art of DevSecOps DevSecOps Security Engineering Security Operations Compliance Operations Security Science Experiment, Automate, Test Hunt, Detect, Contain Respond, Manage, Train Learn, Measure, Forecast Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  8. Getting Started Some basic principles: You don t need to do all of DevSecOps at once. Small security teams can have a profound impact. Organize around self-service. Figure out how to communicate security for the layperson. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  9. Path to DevSecOps Compliance Operations? Security Operations? Security as Code? Science? DevOps + DevSecOps DevOps + Security Experiment: Automate Policy Governance Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps toolkit Experiment: Science via Profiling Start Here? Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  10. The DevSecOps Mindset Customer Focus Open & Transparent Iteration over Perfection Hunting over Reaction Hmmm - wait a minute, this sounds like a manifesto -> insert shameless plug here: http://www.devsecops.org Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  11. Whats the Work of a DevSecOps Team? Imagine that you will need to support all facets of security inline with development teams and at speed Do you have enough security experts to embed resources in DevOps teams? Have you got amazing talent that would rather hunt for Security defects than create value? Are you ready to invest in Self-Service for Security? Are you working with a Cloud environment and can your team code? Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  12. Ready to make these decisions? Outsource w/ No Indemnif. Outsource w/ Part.Indemnif. Outsource w/ Full Indemnif. On-Prem Partial On-Prem Who is responsible? You You You You + Partner Partner Physical Security; Secure Handling & Disposal File or Object Encryption for Sensitive Data; Physical Security; Secure Handling & Disposal File or Object Encryption for Sensitive Data; Partner Security; SOC Attestation File or Object Encryption for Sensitive Data; Partner Security; SOC Attestation Partner Security Controls; SOC Attestation Which minimal controls are needed? I N T E R N A L P A R T N E R S company owned data center or co- location any compute & transit; data stored on-prem public cloud; free services SaaS; public cloud; free services; private cloud managed services; SaaS; private cloud Where does data transit and get stored? reduced latency; search sensitive data speed; reduced friction; search sensitive data speed; reduced friction; evolving patterns; community speed; reduced friction; evolving patterns; community speed; reduced friction; indemnification What are the innovation benefits? SQL Injection; Internal Threats; Mistakes; Phishing; Increased Friction; Slow Latency; SQL Injection; Internal Threats; Mistakes; Phishing; Increased Friction; Slow Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown; Reduced Financial responsibility Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes; Phishing; Govt. Requests Unknown What are the potential risks? Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  13. Or set up policies that look like this { "Version": "2015-05-09", "Statement": { "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetAccountPasswordPolicy" ], "Resource": "*" } } Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  14. And how do you hunt for security issues in software defined environments? Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  15. Can you communicate security complexity using simple processes? 4 1 3 2 Communicate Discover Evaluate Control Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  16. More importantly, how do you translate? begin (iam.client.list_role_policies(:role_name => role)[:policy_names]\ - roledb.list_policies(role)).each do |policy| log.warn("Deleting Policy \"#{policy}\", which is not part of the approved baseline.") if policydiff("{}", URI.decode(iam.client.get_role_policy(\ :role_name => role, :policy_name => policy )[:policy_document]), {:argv => ARGV, :diff => options.diff}) end options.dryrun ? nil : \ iam.client.delete_role_policy( :role_name => role, :policy_name => policy ) end Account Grade: B Heal Account? Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  17. Consider the DevSecOps Approach: Incident Drive Development (IDD) Share your Security Tools within everyone in your organization Everything is an incident, how you deal with it is a matter of priority and severity Running campaigns & internal bounty programs, consider giving out t-shirts Use your security experts as scientists Keep Investigations separate Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  18. Your environment should look something like this threat intel AWS accounts EC2 CloudTrail insights S3 ingestion security science security tools & data Glacier Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  19. And your team will need to operate like this IAM IAM IAM IAM IAM IAM SecRole SecRole SecRole SecRole SecRole SecRole BU Accounts (Trusting) How did we decide which roles would be deployed? Human IAM Admin Incident Response Read Only Services IAM Grantor Instance Roles required to support security services Read Only Central Account (Trusted) IAM Admin Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  20. Its not easy but it can make a difference Security stops being the reason nothing gets done. Everyone in your organization is responsible for security. Security can be a differentiator in most organizations and leads to its own innovation discovery Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  21. Vendors embracing DevSecOps Evident.io AlertLogic Tanium Outlier Security Continuum Security AWS TAP by Mandiant SumoLogic Splunk OpenDNS Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

  22. Resources http://www.devsecops.org @devsecops LinkedIn Group: DevSecOps Github: DevSecOps shannon@devsecops.org Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org

Related


CipherTrust Secrets Management Powered by Akeyless Vault

CipherTrust Secrets Management Powered by Akeyless Vault

omer
AWS DevSecOps Online Training - AWS DevSecOps Training

AWS DevSecOps Online Training - AWS DevSecOps Training

Madhavi
AWS DevSecOps Training - DevSecOps Training Online

AWS DevSecOps Training - DevSecOps Training Online

Madhavi
Azure DevOps Training | Azure DevOps Training In Hyderabad

Azure DevOps Training | Azure DevOps Training In Hyderabad

Talluri
DevSecOps Training in Ameerpet - DevSecOps Training Online

DevSecOps Training in Ameerpet - DevSecOps Training Online

Madhavi
DevSecOps Training Institute in Hyderabad Ameerpet

DevSecOps Training Institute in Hyderabad Ameerpet

Madhavi
Azure DevOps Training In Ameerpet | Azure DevSecOps Online Training

Azure DevOps Training In Ameerpet | Azure DevSecOps Online Training

Talluri
DevSecOps Training in Hyderabad - AWS DevSecOps Training

DevSecOps Training in Hyderabad - AWS DevSecOps Training

Madhavi
Azure DevOps Training In Hyderabad | Azure DevSecOps Online Training

Azure DevOps Training In Hyderabad | Azure DevSecOps Online Training

Talluri
DevSecOps Course in Hyderabad - AWS DevSecOps Training

DevSecOps Course in Hyderabad - AWS DevSecOps Training

Madhavi
Developing and Enforcing Cyber Security Policy as Code in a Software Factory

Developing and Enforcing Cyber Security Policy as Code in a Software Factory

suki
Evolving Security Practices in DevOps: A Holistic Approach

Evolving Security Practices in DevOps: A Holistic Approach

madisyn
Azure DevOps Training in Ameerpet | Azure DevOps Training

Azure DevOps Training in Ameerpet | Azure DevOps Training

Talluri
Azure DevOps Training In Hyderabad | Azure DevSecOps Online Training

Azure DevOps Training In Hyderabad | Azure DevSecOps Online Training

Talluri
Azure DevOps Online Training In Hyderabad | Azure DevOps Training

Azure DevOps Online Training In Hyderabad | Azure DevOps Training

Talluri
Azure DevOps Training In Ameerpet | Azure DevSecOps Online Training

Azure DevOps Training In Ameerpet | Azure DevSecOps Online Training

Talluri
Azure DevOps Online Training In Hyderabad | Azure DevOps Training

Azure DevOps Online Training In Hyderabad | Azure DevOps Training

Talluri
SCB Training Program Symposium 2015 - Wake Forest Biotech Place

SCB Training Program Symposium 2015 - Wake Forest Biotech Place

eudy_a
Azure DevSecOps Online Training | Azure DevOps Training In Hyderabad

Azure DevSecOps Online Training | Azure DevOps Training In Hyderabad

Talluri
Denton High School Cheerleading Program Information 2015-2016

Denton High School Cheerleading Program Information 2015-2016

quine
Azure DevOps Online Training in Hyderabad | Azure DevOps Training

Azure DevOps Online Training in Hyderabad | Azure DevOps Training

Talluri
Overview of California LifeLine Program Update - October 29, 2015

Overview of California LifeLine Program Update - October 29, 2015

syme_ian

More Related Content