Why won’t my DevOps team talk to my Security team?

Transcript

1. SECDEVOPS: CREATING CULTURAL CHANGE TO BRIDGE BETWEEN SECURITY AND DEVOPS?

   1 — @benjammingh for DevOpsDaysPDX!

2. WHO'S THIS CLOWN? 2 > Infrastructure security at Etsy. >

   Operations engineer at Puppet Labs. > Worked at some startups and some not so startups. > Owns a lot of black t-shirts. 2 https://twitter.com/skullmandible/status/411281851131523072 2 — @benjammingh for DevOpsDaysPDX!

3. ETSY? 99 Dachshund Queen by poordogfarm 3 — @benjammingh for

   DevOpsDaysPDX!

4. ETSY! > Global marketplace of amazing handmade and vintage goods.

   > Offices in Brooklyn, San Francisco, Toronto, Berlin, Paris, Dublin, soon the moon. > Over 40m members, over 1m active sellers. > Black Friday is coming up soon. Please buy things! (: 4 — @benjammingh for DevOpsDaysPDX!

5. DEVSECOPS? (WHAT? I DIDN'T NAME IT) 5 — @benjammingh for

   DevOpsDaysPDX!

6. DEVOPS (WHY IS NEVER OPSDEV?) 6 — @benjammingh for DevOpsDaysPDX!

7. DEVOPS CLUB? 7 — @benjammingh for DevOpsDaysPDX!

8. SECURI-WHO? 8 — @benjammingh for DevOpsDaysPDX!

9. 3 with thanks to the ever wonderful swanographer Pete Cheslock

   9 — @benjammingh for DevOpsDaysPDX!

10. 10 — @benjammingh for DevOpsDaysPDX!

11. (STABILITY. IT'S HARD TO FIND AN IMAGE FOR THAT) 11

    — @benjammingh for DevOpsDaysPDX!

12. 12 — @benjammingh for DevOpsDaysPDX!

13. SECURITY IS TRADITIONALLY A BLOCKER 13 — @benjammingh for DevOpsDaysPDX!

14. The Net interprets censorship as damage and routes around it.

    -- John Gilmore 14 — @benjammingh for DevOpsDaysPDX!

15. 15 — @benjammingh for DevOpsDaysPDX!

16. A security team that is left out of the process,

    is worse than no security team at all. — Ben Hughes, just now. 16 — @benjammingh for DevOpsDaysPDX!

17. "That's great Ben, what does this have to do with

    DevOps?" 17 — @benjammingh for DevOpsDaysPDX!

18. ADD A SECURITY IN EARLY 18 — @benjammingh for DevOpsDaysPDX!

19. HOW EARLY? 19 — @benjammingh for DevOpsDaysPDX!

20. SCALING A SECURITY PERSON BEING IN EVERY SINGLE MEETING 20

    — @benjammingh for DevOpsDaysPDX!

21. THE DEVOPS PYRAMID > 10 Developers. > 1 Operations person.

    21 — @benjammingh for DevOpsDaysPDX!

22. THE DEVSECOPS PYRAMID > 100 Developers. > 10 Operations people.

    > 1 Security person. 22 — @benjammingh for DevOpsDaysPDX!

23. 4 @JordannGross https://twitter.com/JordannGross/status/718457587218399233 23 — @benjammingh for DevOpsDaysPDX!

24. CHAMPIONS OUR PEOPLE ON THE INSIDE! 24 — @benjammingh for

    DevOpsDaysPDX!

25. SECURITY BOOTCAMPS ONE OF US, ONE OF US! (FOR A

    LIMITED TIME ONLY) 25 — @benjammingh for DevOpsDaysPDX!

26. THIS IS AWESOME. 26 — @benjammingh for DevOpsDaysPDX!

27. 1> It builds relationships early. 27 — @benjammingh for DevOpsDaysPDX!

28. 2> This makes security approachable from the start. 28 —

    @benjammingh for DevOpsDaysPDX!

29. 3> They take back that which they learned and share

    it with their team. 29 — @benjammingh for DevOpsDaysPDX!

30. THINGS TO DO WITH YOUR CHAMPIONS > have them in

    your Slack/IRC/chat medium of choice. > take them to conferences you attend BlackHat, DefCon, SummerCon > get them front row seats at in house security events. Sophia D’Antoine – Modern Application Security for iOS 30 — @benjammingh for DevOpsDaysPDX!

31. SENIOR ROTATIONS 31 — @benjammingh for DevOpsDaysPDX!

32. DESIGNATED HACKERS 32 — @benjammingh for DevOpsDaysPDX!

33. DESIGNATED, NOT DEDICATED 33 — @benjammingh for DevOpsDaysPDX!

34. WHY DO ALL THIS? 34 — @benjammingh for DevOpsDaysPDX!

35. "Oh hey, I saw this weird thing, is this anything...?"

    — Your most valuable security professional, Claire from finance. 35 — @benjammingh for DevOpsDaysPDX!

36. OUTREACH == EVERYONE IN YOUR ORGANISATION NOW WORKS ON SECURITY.

    36 — @benjammingh for DevOpsDaysPDX!

37. APPROACHABLE "Should I bother sending them this weird looking email?

    Nah, they were rude last time." — Someone who's about to run "DefinitelyNotMalware.exe" in most orgs. 37 — @benjammingh for DevOpsDaysPDX!

38. HUMILITY 38 — @benjammingh for DevOpsDaysPDX!

39. 39 — @benjammingh for DevOpsDaysPDX!

40. BLAME(-LESS) 40 — @benjammingh for DevOpsDaysPDX!

41. BLAMING PEOPLE WON'T MAKE THEM NOT DO THINGS (THEY JUST

    WON'T TELL YOU) 41 — @benjammingh for DevOpsDaysPDX!

42. YOU TELL PEOPLE NOT TO OPEN RANDOM FILES FROM PEOPLE

    THEY DON'T KNOW. YOU ALSO HAVE A RECRUITING TEAM. 42 — @benjammingh for DevOpsDaysPDX!

43. 43 — @benjammingh for DevOpsDaysPDX!

44. THIS BUG EXPLOITS UX 44 — @benjammingh for DevOpsDaysPDX!

45. 45 — @benjammingh for DevOpsDaysPDX!

46. THIS IS NOT THE USER'S FAULT. 46 — @benjammingh for

    DevOpsDaysPDX!

47. WE HAVE MADE BAD TOOLS AND WE SHOULD FEEL BAD.

    47 — @benjammingh for DevOpsDaysPDX!

48. WOULD YOU RATHER? 48 — @benjammingh for DevOpsDaysPDX!

49. HAVE 95% OF PEOPLE NOT FALL FOR PHISHING. 49 —

    @benjammingh for DevOpsDaysPDX!

50. OR 10% OF PEOPLE TELL YOU THEY DID. 50 —

    @benjammingh for DevOpsDaysPDX!

51. (IF YOU PICKED 'A' YOU ARE WRONG) (: 51 —

    @benjammingh for DevOpsDaysPDX!

52. MAKING SECURITY THE DEFAULT 52 — @benjammingh for DevOpsDaysPDX!

53. IF YOU MAKE SECURITY HARD, PEOPLE WON'T DO IT. 53

    — @benjammingh for DevOpsDaysPDX!

54. % gpg --help gpg (GnuPG/MacGPG2) 2.0.28 libgcrypt 1.6.3 Copyright (C)

    2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA, RSA, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Syntax: gpg [options] [files] Sign, check, encrypt or decrypt Default operation depends on the input data Commands: -s, --sign make a signature --clearsign make a clear text signature -b, --detach-sign make a detached signature -e, --encrypt encrypt data -c, --symmetric encryption only with symmetric cipher -d, --decrypt decrypt data (default) --verify verify a signature -k, --list-keys list keys --list-sigs list keys and signatures --check-sigs list and check key signatures --fingerprint list keys and fingerprints -K, --list-secret-keys list secret keys ... 54 — @benjammingh for DevOpsDaysPDX!

55. 55 — @benjammingh for DevOpsDaysPDX!

56. WhatsApp just made all their instant messaging end to end

    encrypted. The user has to do nothing to make this happen. Guess how many users are now doing this? (spoiler: all of them) 56 — @benjammingh for DevOpsDaysPDX!

57. COMPARE WHATSAPP USAGE TO GPG (GPG/PGP HAS BEEN AROUND SINCE

    THE 90S, SO SHOULD BE LARGER, NO?) 57 — @benjammingh for DevOpsDaysPDX!

58. CONCLUSION TIME! (YES YOU GET LUNCH) (EVEN BETTER, YOU GET

    JENNIFER!) 58 — @benjammingh for DevOpsDaysPDX!

59. SECURITY PEOPLE, BE > be approachable > be transparent >

    be humble > stop blaming users, work with them > then people will come to you 59 — @benjammingh for DevOpsDaysPDX!

60. THE REST OF THE ORGANISATION > don't be afraid of

    your security team > if you are, get a new security team > get everyone to be "part of" your security team > bake security in by default and early 60 — @benjammingh for DevOpsDaysPDX!

61. CONTROVERSIAL LAST SLIDE! DEVSECOPS ISN'T A REAL THING. YOU SHOULD

    JUST TALK TO ALL YOUR TEAMS, STOP IGNORING QA, DBS, HELPDESK, RECRUITING, ETC... 61 — @benjammingh for DevOpsDaysPDX!

62. THANK YOU > Twidder: @benjammingh > LinkedIn: lnkdin.me/p/benyeah > JitHub:

    github.com/barn > SpeakerDeck: speakerdeck.com/barnbarn > Etsy: Careers <--- CodeAsCraft <--- our blog 62 — @benjammingh for DevOpsDaysPDX!