SlideShare a Scribd company logo

Lean Security

Download as PPTX, PDF
S
SeniorStoryteller

Ernest Mueller and James Wicket persentation at DevOps Connect: Rugged DevOps 2016

Technology
1 of 61
#LEAN SECURITY@WICKETT // @ERNESTMUELLER // RSA 2016
@WICKETT // @ERNESTMUELLER // #LEANSECURITY ERNEST MUELLER JAMES WICKETT @wickett @ernestmueller THEAGILEADMIN.COM
@WICKETT // @ERNESTMUELLER // #LEANSECURITY THE PRESENTATION THAT JUST MIGHT CHANGE YOUR LIFE…
@WICKETT // @ERNESTMUELLER // #LEANSECURITY COMPANIES ARE SPENDING A GREAT DEAL ON SECURITY, BUT WE READ OF MASSIVE COMPUTER-RELATED ATTACKS. CLEARLY SOMETHING IS WRONG. THE ROOT OF THE PROBLEM IS TWOFOLD: WE’RE PROTECTING (AND SPENDING MONEY ON PROTECTING) THE WRONG THINGS, AND WE’RE HURTING PRODUCTIVITY IN THE PROCESS. Thinking Security, Steven M. Bellovin 2015
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY AGILE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT IS AGILE? • INDIVIDUALS AND INTERACTIONS OVER PROCESSES AND TOOLS • WORKING SOFTWARE OVER COMPREHENSIVE DOCUMENTATION • CUSTOMER COLLABORATION OVER CONTRACT NEGOTIATION • RESPONDING TO CHANGE OVER FOLLOWING A PLAN SOURCE: THE AGILE MANIFESTO (HTTP://WWW.AGILEMANIFESTO.ORG/)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY AGILE? • 45% OF ORGANIZATIONS ARE USING AGILE ON A MAJORITY OF THEIR TEAMS ONLY 5% ARE NOT USING IT AT ALL • AGILE RESULTS: • ACCELERATE PRODUCT DELIVERY - 59% • ENHANCE ABILITY TO MANAGE CHANGING PRIORITIES - 56% • INCREASE PRODUCTIVITY - 53% • ENHANCE SOFTWARE QUALITY - 46% • ENHANCE DELIVERY PREDICTABILITY - 44% SOURCE: VERSIONONE NINTH ANNUAL STATE OF AGILE SURVEY (HTTPS://WWW.VERSIONONE.COM/PDF/STATE-OF-AGILE-DEVELOPMENT-SURVEY-NINTH.PDF)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT IS DEVOPS? DEVOPS IS THE PRACTICE OF OPERATIONS AND DEVELOPMENT ENGINEERS PARTICIPATING TOGETHER IN THE ENTIRE SERVICE LIFECYCLE, FROM DESIGN THROUGH THE DEVELOPMENT PROCESS TO PRODUCTION SUPPORT. DEVOPS IS ALSO CHARACTERIZED BY OPERATIONS STAFF MAKING USE MANY OF THE SAME TECHNIQUES AS DEVELOPERS FOR THEIR SYSTEMS WORK. SOURCE: THE AGILE ADMIN: WHAT IS DEVOPS? HTTP://THEAGILEADMIN.COM/WHAT-IS-DEVOPS/
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY DEVOPS?• BY 2016 “DEVOPS WILL EVOLVE FROM A NICHE TO A MAINSTREAM STRATEGY EMPLOYED BY 25% OF GLOBAL 2000 ORGANIZATIONS” - GARTNER, MARCH 2015 • BENEFITS OF DEVOPS: • NEW SOFTWARE/SERVICES THAT WOULD OTHERWISE NOT BE POSSIBLE - 21% • A REDUCTION IN TIME SPENT FIXING AND MAINTAINING APPLICATIONS - 21% • INCREASED COLLABORATION BETWEEN DEPARTMENTS - 21% • AN INCREASE IN REVENUE - 19% • IMPROVED QUALITY AND PERFORMANCE OF OUR DEPLOYED APPLICATIONS - 19% SOURCE: CA RESEARCH REPORT—DEVOPS: THE WORST-KEPT SECRET TO WINNING IN THE APPLICATION ECONOMY (HTTP://REWRITE.CA.COM/US/ARTICLES/DEVOPS/RESEARCH-REPORT-- DEVOPS-THE-WORST-KEPT-SECRET-TO-WINNING-IN-THE-APPLICATION-ECONOMY.HTML)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY HIGH-PERFORMING IT ORGANIZATIONS EXPERIENCE 60X FEWER FAILURES AND RECOVER FROM FAILURE 168X FASTER THAN THEIR LOWER- PERFORMING PEERS. THEY ALSO DEPLOY 30X MORE FREQUENTLY WITH 200X SHORTER LEAD TIMES.
@WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN
@WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN SOFTWARE DEVELOPMENT SEVEN PRINCIPLES: • ELIMINATE WASTE • AMPLIFY LEARNING • DECIDE AS LATE AS POSSIBLE • DELIVER AS FAST AS POSSIBLE • EMPOWER THE TEAM • BUILD INTEGRITY IN • SEE THE WHOLE AN SOFTWARE DEVELOPMENT: AN AGILE TOOLKIT (2003), MARY AND TOM POPPENDIECK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN PRODUCT DEVELOPMENT • BUILD-MEASURE-LEARN • BUILD – MINIMUM VIABLE PRODUCT • MEASURE – THE OUTCOME AND INTERNAL METRICS • LEARN – ABOUT YOUR PROBLEM AND YOUR SOLUTION • REPEAT – GO DEEPER WHERE IT’S NEEDED SOURCE: LEAN STARTUP (2011), ERIC RIES
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY LEAN? • BOTH DEVOPS AND AGILE BORROW KEY CONCEPTS FROM LEAN MANUFACTURING, SO IT'S ALL ABOUT COMMUNICATION AND OPENNESS." -INFORMATIONWEEK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT ARE THE CHALLENGES THAT AGILE / DEVOPS / LEAN POSE TO INFOSEC?
WRONG QUESTION!
@WICKETT // @ERNESTMUELLER // #LEANSECURITY INSTEAD, EXAMINE HOW ADOPTING THESE STRATEGIES CAN HELP YOU WIN
@WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN SECURITY IS FOR WINNERS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY THE SIX-FOLD PATH OF LEAN SECURITY (AND HOW TO WIN)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #1 SECURITY IS JUST BEANCOUNTING
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WE TRADED ENGINEERING FOR ACTUARIAL DUTIES
@WICKETT // @ERNESTMUELLER // #LEANSECURITY “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
@WICKETT // @ERNESTMUELLER // #LEANSECURITY A SECURITY MANAGEMENT SYSTEM PROVIDES OPTIMAL VALUE TO THE ORGANIZATION IF IT: • ACTIVELY SUPPORTS ACHIEVING THE BUSINESS AND COMPLIANCE OBJECTIVES OF THE ORGANIZATION (THE VARIABLE PART) • IS AN EFFICIENT, AGILE AND INTEGRATED PROCESS, CAPABLE OF DEALING WITH A DYNAMIC THREAT ENVIRONMENT • CONSUMES MINIMAL TIME AND RESOURCES • RESULTS IN ADEQUATELY MANAGED SECURITY RISK, IN LINE WITH THE RISK APPETITE OF THE ORGANIZATION • PROVIDES ONLY THE NECESSARY, YET ADEQUATE, USER FRIENDLY, EFFICIENT AND MEASURABLE SECURITY CONTROLS SOURCE: JOHAN BAKKER, LEAN SECURITY MANAGEMENT WHITE PAPER
@WICKETT // @ERNESTMUELLER // #LEANSECURITY UNDERSTAND THE VALUE YOUR ORGANIZATION WANTS FROM YOU
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #2 SECURITY IS A BOTTLENECK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER 10 MONTHS IN THE LAST 5 YEARS Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY ARE COMPANIES SO SLOW? THE GROWTH OF CONTROL AND RISK MANAGEMENT FUNCTIONS WHICH IS TOO OFTEN POORLY COORDINATED… [RESULTING IN] A PROLIFERATION OF NEW TASKS IN THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION. Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
@WICKETT // @ERNESTMUELLER // #LEANSECURITY THE THREE WASTES • MUDA - WORK WHICH ABSORBS RESOURCE BUT ADDS NO VALUE • MURI - UNREASONABLE WORK THAT IS IMPOSED ON WORKERS AND MACHINES • MURA - WORK COMING IN DRIBS AND DRABS WITH SUDDEN PERIODS OF RUSH RATHER THAN A CONSTANT OR REGULAR FLOW, UNEVENNESS.
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY WASTE MUDA COMES IN SEVEN FORMS: • EXCESS INVENTORY - DUMPING YOUR THOUSAND PAGE PDF OF VULNERABILITIES ON A BUSY TEAM. PRIORITIZE AND LIMIT WORK IN PROGRESS (WIP) • OVERPRODUCTION - SECURITY CONTROLS STEMMING FROM FUD OR MISALIGNMENT WITH BUSINESS NEEDS (NOT DEMANDED BY ACTUAL CUSTOMERS) - CF. PHOENIX PROJECT • EXTRA PROCESSING - FOR EXAMPLE, RELYING ON COMPLIANCE TESTING RATHER THAN DESIGNING THE PROCESS TO ELIMINATE PROBLEMS - HELP IT GET BUILT RIGHT FIRST
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY WASTE • HANDOFFS - LEVERAGE THE KNOWLEDGE OF THE TEAMS DOING THE WORK AND COLLABORATE WITH THEM TO BUILD SECURITY IN, INSTEAD OF THAT BEING SOME OTHER TEAM’S JOB • WAITING - LAG BETWEEN VALUE STEPS WAITING FOR APPROVALS OR ANALYSES OR TICKET HANDLING - USE SELF SERVICE AUTOMATION INSTEAD • TASK SWITCHING - THE THOUSAND PAGE PDF AGAIN - WORK WITH THEIR WORK INTAKE PROCESS NOT AGAINST IT • DEFECTS - FALSE POSITIVES AND FALSE NEGATIVES AND JUST PLAIN UNIMPORTANT FINDINGS YOU REPORT CAUSING ZERO-VALUE REWORK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY UNDERSTAND THE WASTE THAT YOU GENERATE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #3 SECURITY IS INVISIBLE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY PROFESSIONALS ARE QUICK TO SAY SECURITY IS EVERYONE’S JOB
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY COULD LEARN FROM WEB PERFORMANCE CIRCA 2008
@WICKETT // @ERNESTMUELLER // #LEANSECURITY PERFORMANCE • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND PERFORMANCE PROBLEMS • RESEARCH SHOWING PERFORMANCE TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING FRONT END DEVS AND SYS ADMINS • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND SECURITY PROBLEMS • RESEARCH SHOWING SECURITY TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING DEVS OPS AND SECURITY • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SEE THE WHOLE • KEEP MEANINGFUL METRICS, MAKE THOSE METRICS VISIBLE - IN CONTEXT OF WORKERS’ TOOLCHAIN • “LEAST PRIVILEGE” NEEDS TO BE UNLEARNED SOMEWHAT IN MODERN ORGANIZATIONS TO ALLOW EFFECTIVE INFORMATION SHARING • GET IN BUSINESS OF SHARING AND ADDING VISIBILITY TO DEV AND TO OPS.
@WICKETT // @ERNESTMUELLER // #LEANSECURITY VISUALIZE SECURITY SO EVERYONE CAN SEE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #4 SECURITY IS ALWAYS TOO LATE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY BUILD INTEGRITY IN • “CEASE DEPENDENCE ON MASS INSPECTION TO ACHIEVE QUALITY. IMPROVE THE PROCESS AND BUILD QUALITY INTO THE PRODUCT IN THE FIRST PLACE." — W. EDWARDS DEMING • INTEGRATE INTO CONTINUOUS INTEGRATION AND USE TEST DRIVEN DEVELOPMENT (TDD) TO RECTIFY ISSUES AT THE LOWEST WASTE POINT
SOURCE: THE THREE WAYS OF DEVOPS, GENE KIM
@WICKETT // @ERNESTMUELLER // #LEANSECURITY NEEDED A WAY TO BE MEAN TO YOUR CODE EARLIER IN THE DEVELOPMENT PROCESS ENTER GAUNTLT…
@WICKETT // @ERNESTMUELLER // #LEANSECURITY @slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected." Given When Then What? AN ATTACK LANGUAGE FOR DEVOPS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY http://theagileadmin.com/2015/06/09/pragmatic-security-and-rugged-devops/
@WICKETT // @ERNESTMUELLER // #LEANSECURITY GENERATE SECURITY FEEDBACK IN EACH VALUE STEP
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #5 SECURITY IS ALWAYS IN THE WAY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY ARE YOU “THAT GUY?” • YOU ALREADY KNOW YOU CAN’T MAKE THINGS SECURE BY YOURSELF • YOU NEED EVERYONE ELSE TO PITCH IN - BUT IT SEEMS LIKE THE THINGS YOU DO JUST ANGER THEM
@WICKETT // @ERNESTMUELLER // #LEANSECURITY EMPOWER THE TEAM • UNDERSTAND HUMAN MOTIVATION • NETFLIX AUTOMATION CREATED SAFE PATHS AS THE DEFAULT • REMOVES EMOTIONAL CHARGE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SELF SERVICE AUTOMATION
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #6 SECURITY IS PERFECTIONIST AND IS THEREFORE UNREALISTIC
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY IS YOUR PRODUCT
@WICKETT // @ERNESTMUELLER // #LEANSECURITY BUILD-MEASURE- LEARN • DELIVER MINIMAL VIABLE SECURITY ACROSS EVERYTHING • FOCUS ON DETECTION/METRIC GATHERING • ITERATE FROM THERE • REMEMBER THE WEAKEST LINK WINS • OVERLAP SMALLER SOLUTIONS - SEE JOSH MORE’S OWASP 2012 “LEAN SECURITY 101” PRESENTATION
@WICKETT // @ERNESTMUELLER // #LEANSECURITY MANAGE YOUR PRODUCT
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WE’VE BEEN THERE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY ERNEST MUELLER JAMES WICKETT @wickett @ernestmueller THEAGILEADMIN.COM

Recommended

Lean Security - LASCON 2016
Lean Security - LASCON 2016Lean Security - LASCON 2016
Lean Security - LASCON 2016Ernest Mueller
 
Lean Security - OWASP Austin March 2016
Lean Security - OWASP Austin March 2016Lean Security - OWASP Austin March 2016
Lean Security - OWASP Austin March 2016Ernest Mueller
 
Lean Security - RSA 2016
Lean Security - RSA 2016Lean Security - RSA 2016
Lean Security - RSA 2016Ernest Mueller
 
Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015James Wickett
 
The Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecThe Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecJames Wickett
 
Software is Eating the World, And You're For Lunch"
Software is Eating the World, And You're For Lunch"Software is Eating the World, And You're For Lunch"
Software is Eating the World, And You're For Lunch"Extract Data Conference
 
Distributed Teams
Distributed TeamsDistributed Teams
Distributed TeamsKevin Goldsmith
 
DevOps is no Walk in the Park
DevOps is no Walk in the ParkDevOps is no Walk in the Park
DevOps is no Walk in the ParkSabine Wojcieszak
 

Recommended

Lean Security - LASCON 2016
Lean Security - LASCON 2016Lean Security - LASCON 2016
Lean Security - LASCON 2016Ernest Mueller
 
Lean Security - OWASP Austin March 2016
Lean Security - OWASP Austin March 2016Lean Security - OWASP Austin March 2016
Lean Security - OWASP Austin March 2016Ernest Mueller
 
Lean Security - RSA 2016
Lean Security - RSA 2016Lean Security - RSA 2016
Lean Security - RSA 2016Ernest Mueller
 
Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015James Wickett
 
The Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecThe Path of DevOps Enlightenment for InfoSec
The Path of DevOps Enlightenment for InfoSecJames Wickett
 
Software is Eating the World, And You're For Lunch"
Software is Eating the World, And You're For Lunch"Software is Eating the World, And You're For Lunch"
Software is Eating the World, And You're For Lunch"Extract Data Conference
 
Distributed Teams
Distributed TeamsDistributed Teams
Distributed TeamsKevin Goldsmith
 
DevOps is no Walk in the Park
DevOps is no Walk in the ParkDevOps is no Walk in the Park
DevOps is no Walk in the ParkSabine Wojcieszak
 
First look at Webstats
First look at WebstatsFirst look at Webstats
First look at WebstatsLimerick School of Art and Design
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
Agile bodensee - Agile Testing: Bug prevention vs. bug detection
Agile bodensee - Agile Testing: Bug prevention vs. bug detectionAgile bodensee - Agile Testing: Bug prevention vs. bug detection
Agile bodensee - Agile Testing: Bug prevention vs. bug detectionMichael Palotas
 
Pivotal tracker
Pivotal trackerPivotal tracker
Pivotal trackerMike Silvis
 
Knowwhatyouhave
KnowwhatyouhaveKnowwhatyouhave
KnowwhatyouhaveMarcus Wilson
 
The Science of influence and networks - Dr Paul Siegel
The Science of influence and networks - Dr Paul Siegel The Science of influence and networks - Dr Paul Siegel
The Science of influence and networks - Dr Paul Siegel Brandwatch
 
Relationship safety
Relationship safetyRelationship safety
Relationship safetyErick Arceneaux
 
Defense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentDefense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentJames Wickett
 
Defense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentDefense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentVMware Tanzu
 
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecAppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecJames Wickett
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpJames Wickett
 
The New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsThe New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsJames Wickett
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path ForwardJames Wickett
 
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSecInnotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSecJames Wickett
 
Scaling DevOps Adoption
Scaling DevOps AdoptionScaling DevOps Adoption
Scaling DevOps AdoptionMark Rendell
 
The Road to Continuous Deployment: a case study by Michiel Rook
The Road to Continuous Deployment: a case study by Michiel RookThe Road to Continuous Deployment: a case study by Michiel Rook
The Road to Continuous Deployment: a case study by Michiel RookBosnia Agile
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
 
The Role of Architecture in the Enterprise
The Role of Architecture in the EnterpriseThe Role of Architecture in the Enterprise
The Role of Architecture in the EnterprisePeter Nikitser
 
103 Understanding Technical Debt
103 Understanding Technical Debt103 Understanding Technical Debt
103 Understanding Technical DebtProductCamp Boston
 
Understanding Technical Debt: A Primer for Product Owners and Founders
Understanding Technical Debt: A Primer for Product Owners and FoundersUnderstanding Technical Debt: A Primer for Product Owners and Founders
Understanding Technical Debt: A Primer for Product Owners and FoundersAndrea Goulet
 
Agile adoption in a waterfall environment
Agile adoption in a waterfall environmentAgile adoption in a waterfall environment
Agile adoption in a waterfall environmentValtech UK
 

More Related Content

What's hot

Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
Agile bodensee - Agile Testing: Bug prevention vs. bug detection
Agile bodensee - Agile Testing: Bug prevention vs. bug detectionAgile bodensee - Agile Testing: Bug prevention vs. bug detection
Agile bodensee - Agile Testing: Bug prevention vs. bug detectionMichael Palotas
 
The Science of influence and networks - Dr Paul Siegel
The Science of influence and networks - Dr Paul Siegel The Science of influence and networks - Dr Paul Siegel
The Science of influence and networks - Dr Paul Siegel Brandwatch
 

What's hot (7)

First look at Webstats
First look at WebstatsFirst look at Webstats
First look at Webstats
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
 
Agile bodensee - Agile Testing: Bug prevention vs. bug detection
Agile bodensee - Agile Testing: Bug prevention vs. bug detectionAgile bodensee - Agile Testing: Bug prevention vs. bug detection
Agile bodensee - Agile Testing: Bug prevention vs. bug detection
 
Pivotal tracker
Pivotal trackerPivotal tracker
Pivotal tracker
 
Knowwhatyouhave
KnowwhatyouhaveKnowwhatyouhave
Knowwhatyouhave
 
The Science of influence and networks - Dr Paul Siegel
The Science of influence and networks - Dr Paul Siegel The Science of influence and networks - Dr Paul Siegel
The Science of influence and networks - Dr Paul Siegel
 
Relationship safety
Relationship safetyRelationship safety
Relationship safety
 

Similar to Lean Security

Defense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentDefense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentJames Wickett
 
Defense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentDefense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentVMware Tanzu
 
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecAppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecJames Wickett
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpJames Wickett
 
The New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsThe New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsJames Wickett
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path ForwardJames Wickett
 
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSecInnotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSecJames Wickett
 
Scaling DevOps Adoption
Scaling DevOps AdoptionScaling DevOps Adoption
Scaling DevOps AdoptionMark Rendell
 
The Road to Continuous Deployment: a case study by Michiel Rook
The Road to Continuous Deployment: a case study by Michiel RookThe Road to Continuous Deployment: a case study by Michiel Rook
The Road to Continuous Deployment: a case study by Michiel RookBosnia Agile
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
 
The Role of Architecture in the Enterprise
The Role of Architecture in the EnterpriseThe Role of Architecture in the Enterprise
The Role of Architecture in the EnterprisePeter Nikitser
 
103 Understanding Technical Debt
103 Understanding Technical Debt103 Understanding Technical Debt
103 Understanding Technical DebtProductCamp Boston
 
Understanding Technical Debt: A Primer for Product Owners and Founders
Understanding Technical Debt: A Primer for Product Owners and FoundersUnderstanding Technical Debt: A Primer for Product Owners and Founders
Understanding Technical Debt: A Primer for Product Owners and FoundersAndrea Goulet
 
Agile adoption in a waterfall environment
Agile adoption in a waterfall environmentAgile adoption in a waterfall environment
Agile adoption in a waterfall environmentValtech UK
 
The truth about "You build it, you run it!"
The truth about "You build it, you run it!"The truth about "You build it, you run it!"
The truth about "You build it, you run it!"Uwe Friedrichsen
 
[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT SuccessElectric Imp
 
"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the OpportunityDean Iacovelli
 
Dagens Industri - Insurtech Conference
Dagens Industri - Insurtech Conference Dagens Industri - Insurtech Conference
Dagens Industri - Insurtech Conference MichalGromek
 
Continuous Compliance and DevSecOps in Times of GDPR, HIPAA and SOX
Continuous Compliance and DevSecOps in Times of GDPR, HIPAA and SOXContinuous Compliance and DevSecOps in Times of GDPR, HIPAA and SOX
Continuous Compliance and DevSecOps in Times of GDPR, HIPAA and SOXDevOps.com
 

Similar to Lean Security (20)

Defense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentDefense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software Development
 
Defense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentDefense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software Development
 
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecAppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
 
The New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOpsThe New Ways of Chaos, Security, and DevOps
The New Ways of Chaos, Security, and DevOps
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path Forward
 
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSecInnotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
 
Scaling DevOps Adoption
Scaling DevOps AdoptionScaling DevOps Adoption
Scaling DevOps Adoption
 
The Road to Continuous Deployment: a case study by Michiel Rook
The Road to Continuous Deployment: a case study by Michiel RookThe Road to Continuous Deployment: a case study by Michiel Rook
The Road to Continuous Deployment: a case study by Michiel Rook
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
 
The Role of Architecture in the Enterprise
The Role of Architecture in the EnterpriseThe Role of Architecture in the Enterprise
The Role of Architecture in the Enterprise
 
103 Understanding Technical Debt
103 Understanding Technical Debt103 Understanding Technical Debt
103 Understanding Technical Debt
 
Understanding Technical Debt: A Primer for Product Owners and Founders
Understanding Technical Debt: A Primer for Product Owners and FoundersUnderstanding Technical Debt: A Primer for Product Owners and Founders
Understanding Technical Debt: A Primer for Product Owners and Founders
 
Agile adoption in a waterfall environment
Agile adoption in a waterfall environmentAgile adoption in a waterfall environment
Agile adoption in a waterfall environment
 
The truth about "You build it, you run it!"
The truth about "You build it, you run it!"The truth about "You build it, you run it!"
The truth about "You build it, you run it!"
 
[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success
 
"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity
 
Dagens Industri - Insurtech Conference
Dagens Industri - Insurtech Conference Dagens Industri - Insurtech Conference
Dagens Industri - Insurtech Conference
 
Continuous Compliance and DevSecOps in Times of GDPR, HIPAA and SOX
Continuous Compliance and DevSecOps in Times of GDPR, HIPAA and SOXContinuous Compliance and DevSecOps in Times of GDPR, HIPAA and SOX
Continuous Compliance and DevSecOps in Times of GDPR, HIPAA and SOX
 

More from SeniorStoryteller

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...SeniorStoryteller
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanSeniorStoryteller
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...SeniorStoryteller
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedSeniorStoryteller
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...SeniorStoryteller
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsSeniorStoryteller
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanBuilding Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanSeniorStoryteller
 
Breaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisBreaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisSeniorStoryteller
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareSeniorStoryteller
 
NuGet Package Management Done Right
NuGet Package Management Done RightNuGet Package Management Done Right
NuGet Package Management Done RightSeniorStoryteller
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerHero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerSeniorStoryteller
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
Heroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsHeroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsSeniorStoryteller
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessSeniorStoryteller
 
Create Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainCreate Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainSeniorStoryteller
 

More from SeniorStoryteller (20)

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanBuilding Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh Raghavan
 
Breaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisBreaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John Willis
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
 
NuGet Package Management Done Right
NuGet Package Management Done RightNuGet Package Management Done Right
NuGet Package Management Done Right
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerHero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
 
Heroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsHeroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps Transformations
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for Success
 
Create Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainCreate Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply Chain
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Lean Security

  • 2. @WICKETT // @ERNESTMUELLER // #LEANSECURITY ERNEST MUELLER JAMES WICKETT @wickett @ernestmueller THEAGILEADMIN.COM
  • 3. @WICKETT // @ERNESTMUELLER // #LEANSECURITY THE PRESENTATION THAT JUST MIGHT CHANGE YOUR LIFE…
  • 4. @WICKETT // @ERNESTMUELLER // #LEANSECURITY COMPANIES ARE SPENDING A GREAT DEAL ON SECURITY, BUT WE READ OF MASSIVE COMPUTER-RELATED ATTACKS. CLEARLY SOMETHING IS WRONG. THE ROOT OF THE PROBLEM IS TWOFOLD: WE’RE PROTECTING (AND SPENDING MONEY ON PROTECTING) THE WRONG THINGS, AND WE’RE HURTING PRODUCTIVITY IN THE PROCESS. Thinking Security, Steven M. Bellovin 2015
  • 5. @WICKETT // @ERNESTMUELLER // #LEANSECURITY
  • 6. @WICKETT // @ERNESTMUELLER // #LEANSECURITY AGILE
  • 7. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT IS AGILE? • INDIVIDUALS AND INTERACTIONS OVER PROCESSES AND TOOLS • WORKING SOFTWARE OVER COMPREHENSIVE DOCUMENTATION • CUSTOMER COLLABORATION OVER CONTRACT NEGOTIATION • RESPONDING TO CHANGE OVER FOLLOWING A PLAN SOURCE: THE AGILE MANIFESTO (HTTP://WWW.AGILEMANIFESTO.ORG/)
  • 8. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY AGILE? • 45% OF ORGANIZATIONS ARE USING AGILE ON A MAJORITY OF THEIR TEAMS ONLY 5% ARE NOT USING IT AT ALL • AGILE RESULTS: • ACCELERATE PRODUCT DELIVERY - 59% • ENHANCE ABILITY TO MANAGE CHANGING PRIORITIES - 56% • INCREASE PRODUCTIVITY - 53% • ENHANCE SOFTWARE QUALITY - 46% • ENHANCE DELIVERY PREDICTABILITY - 44% SOURCE: VERSIONONE NINTH ANNUAL STATE OF AGILE SURVEY (HTTPS://WWW.VERSIONONE.COM/PDF/STATE-OF-AGILE-DEVELOPMENT-SURVEY-NINTH.PDF)
  • 9. @WICKETT // @ERNESTMUELLER // #LEANSECURITY
  • 10. @WICKETT // @ERNESTMUELLER // #LEANSECURITY
  • 11. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT IS DEVOPS? DEVOPS IS THE PRACTICE OF OPERATIONS AND DEVELOPMENT ENGINEERS PARTICIPATING TOGETHER IN THE ENTIRE SERVICE LIFECYCLE, FROM DESIGN THROUGH THE DEVELOPMENT PROCESS TO PRODUCTION SUPPORT. DEVOPS IS ALSO CHARACTERIZED BY OPERATIONS STAFF MAKING USE MANY OF THE SAME TECHNIQUES AS DEVELOPERS FOR THEIR SYSTEMS WORK. SOURCE: THE AGILE ADMIN: WHAT IS DEVOPS? HTTP://THEAGILEADMIN.COM/WHAT-IS-DEVOPS/
  • 12. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY DEVOPS?• BY 2016 “DEVOPS WILL EVOLVE FROM A NICHE TO A MAINSTREAM STRATEGY EMPLOYED BY 25% OF GLOBAL 2000 ORGANIZATIONS” - GARTNER, MARCH 2015 • BENEFITS OF DEVOPS: • NEW SOFTWARE/SERVICES THAT WOULD OTHERWISE NOT BE POSSIBLE - 21% • A REDUCTION IN TIME SPENT FIXING AND MAINTAINING APPLICATIONS - 21% • INCREASED COLLABORATION BETWEEN DEPARTMENTS - 21% • AN INCREASE IN REVENUE - 19% • IMPROVED QUALITY AND PERFORMANCE OF OUR DEPLOYED APPLICATIONS - 19% SOURCE: CA RESEARCH REPORT—DEVOPS: THE WORST-KEPT SECRET TO WINNING IN THE APPLICATION ECONOMY (HTTP://REWRITE.CA.COM/US/ARTICLES/DEVOPS/RESEARCH-REPORT-- DEVOPS-THE-WORST-KEPT-SECRET-TO-WINNING-IN-THE-APPLICATION-ECONOMY.HTML)
  • 13. @WICKETT // @ERNESTMUELLER // #LEANSECURITY HIGH-PERFORMING IT ORGANIZATIONS EXPERIENCE 60X FEWER FAILURES AND RECOVER FROM FAILURE 168X FASTER THAN THEIR LOWER- PERFORMING PEERS. THEY ALSO DEPLOY 30X MORE FREQUENTLY WITH 200X SHORTER LEAD TIMES.
  • 14. @WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN
  • 15. @WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN SOFTWARE DEVELOPMENT SEVEN PRINCIPLES: • ELIMINATE WASTE • AMPLIFY LEARNING • DECIDE AS LATE AS POSSIBLE • DELIVER AS FAST AS POSSIBLE • EMPOWER THE TEAM • BUILD INTEGRITY IN • SEE THE WHOLE AN SOFTWARE DEVELOPMENT: AN AGILE TOOLKIT (2003), MARY AND TOM POPPENDIECK
  • 16. @WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN PRODUCT DEVELOPMENT • BUILD-MEASURE-LEARN • BUILD – MINIMUM VIABLE PRODUCT • MEASURE – THE OUTCOME AND INTERNAL METRICS • LEARN – ABOUT YOUR PROBLEM AND YOUR SOLUTION • REPEAT – GO DEEPER WHERE IT’S NEEDED SOURCE: LEAN STARTUP (2011), ERIC RIES
  • 17. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY LEAN? • BOTH DEVOPS AND AGILE BORROW KEY CONCEPTS FROM LEAN MANUFACTURING, SO IT'S ALL ABOUT COMMUNICATION AND OPENNESS." -INFORMATIONWEEK
  • 18. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT ARE THE CHALLENGES THAT AGILE / DEVOPS / LEAN POSE TO INFOSEC?
  • 20. @WICKETT // @ERNESTMUELLER // #LEANSECURITY INSTEAD, EXAMINE HOW ADOPTING THESE STRATEGIES CAN HELP YOU WIN
  • 21. @WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN SECURITY IS FOR WINNERS
  • 22. @WICKETT // @ERNESTMUELLER // #LEANSECURITY THE SIX-FOLD PATH OF LEAN SECURITY (AND HOW TO WIN)
  • 23. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #1 SECURITY IS JUST BEANCOUNTING
  • 24. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WE TRADED ENGINEERING FOR ACTUARIAL DUTIES
  • 25. @WICKETT // @ERNESTMUELLER // #LEANSECURITY “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
  • 26.
  • 27. @WICKETT // @ERNESTMUELLER // #LEANSECURITY A SECURITY MANAGEMENT SYSTEM PROVIDES OPTIMAL VALUE TO THE ORGANIZATION IF IT: • ACTIVELY SUPPORTS ACHIEVING THE BUSINESS AND COMPLIANCE OBJECTIVES OF THE ORGANIZATION (THE VARIABLE PART) • IS AN EFFICIENT, AGILE AND INTEGRATED PROCESS, CAPABLE OF DEALING WITH A DYNAMIC THREAT ENVIRONMENT • CONSUMES MINIMAL TIME AND RESOURCES • RESULTS IN ADEQUATELY MANAGED SECURITY RISK, IN LINE WITH THE RISK APPETITE OF THE ORGANIZATION • PROVIDES ONLY THE NECESSARY, YET ADEQUATE, USER FRIENDLY, EFFICIENT AND MEASURABLE SECURITY CONTROLS SOURCE: JOHAN BAKKER, LEAN SECURITY MANAGEMENT WHITE PAPER
  • 28. @WICKETT // @ERNESTMUELLER // #LEANSECURITY UNDERSTAND THE VALUE YOUR ORGANIZATION WANTS FROM YOU
  • 29. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #2 SECURITY IS A BOTTLENECK
  • 30. @WICKETT // @ERNESTMUELLER // #LEANSECURITY THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER 10 MONTHS IN THE LAST 5 YEARS Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
  • 31. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY ARE COMPANIES SO SLOW? THE GROWTH OF CONTROL AND RISK MANAGEMENT FUNCTIONS WHICH IS TOO OFTEN POORLY COORDINATED… [RESULTING IN] A PROLIFERATION OF NEW TASKS IN THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION. Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
  • 32. @WICKETT // @ERNESTMUELLER // #LEANSECURITY THE THREE WASTES • MUDA - WORK WHICH ABSORBS RESOURCE BUT ADDS NO VALUE • MURI - UNREASONABLE WORK THAT IS IMPOSED ON WORKERS AND MACHINES • MURA - WORK COMING IN DRIBS AND DRABS WITH SUDDEN PERIODS OF RUSH RATHER THAN A CONSTANT OR REGULAR FLOW, UNEVENNESS.
  • 33. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY WASTE MUDA COMES IN SEVEN FORMS: • EXCESS INVENTORY - DUMPING YOUR THOUSAND PAGE PDF OF VULNERABILITIES ON A BUSY TEAM. PRIORITIZE AND LIMIT WORK IN PROGRESS (WIP) • OVERPRODUCTION - SECURITY CONTROLS STEMMING FROM FUD OR MISALIGNMENT WITH BUSINESS NEEDS (NOT DEMANDED BY ACTUAL CUSTOMERS) - CF. PHOENIX PROJECT • EXTRA PROCESSING - FOR EXAMPLE, RELYING ON COMPLIANCE TESTING RATHER THAN DESIGNING THE PROCESS TO ELIMINATE PROBLEMS - HELP IT GET BUILT RIGHT FIRST
  • 34. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY WASTE • HANDOFFS - LEVERAGE THE KNOWLEDGE OF THE TEAMS DOING THE WORK AND COLLABORATE WITH THEM TO BUILD SECURITY IN, INSTEAD OF THAT BEING SOME OTHER TEAM’S JOB • WAITING - LAG BETWEEN VALUE STEPS WAITING FOR APPROVALS OR ANALYSES OR TICKET HANDLING - USE SELF SERVICE AUTOMATION INSTEAD • TASK SWITCHING - THE THOUSAND PAGE PDF AGAIN - WORK WITH THEIR WORK INTAKE PROCESS NOT AGAINST IT • DEFECTS - FALSE POSITIVES AND FALSE NEGATIVES AND JUST PLAIN UNIMPORTANT FINDINGS YOU REPORT CAUSING ZERO-VALUE REWORK
  • 35. @WICKETT // @ERNESTMUELLER // #LEANSECURITY UNDERSTAND THE WASTE THAT YOU GENERATE
  • 36. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #3 SECURITY IS INVISIBLE
  • 37. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY PROFESSIONALS ARE QUICK TO SAY SECURITY IS EVERYONE’S JOB
  • 38. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY COULD LEARN FROM WEB PERFORMANCE CIRCA 2008
  • 39. @WICKETT // @ERNESTMUELLER // #LEANSECURITY PERFORMANCE • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND PERFORMANCE PROBLEMS • RESEARCH SHOWING PERFORMANCE TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING FRONT END DEVS AND SYS ADMINS • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
  • 40. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND SECURITY PROBLEMS • RESEARCH SHOWING SECURITY TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING DEVS OPS AND SECURITY • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
  • 41. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SEE THE WHOLE • KEEP MEANINGFUL METRICS, MAKE THOSE METRICS VISIBLE - IN CONTEXT OF WORKERS’ TOOLCHAIN • “LEAST PRIVILEGE” NEEDS TO BE UNLEARNED SOMEWHAT IN MODERN ORGANIZATIONS TO ALLOW EFFECTIVE INFORMATION SHARING • GET IN BUSINESS OF SHARING AND ADDING VISIBILITY TO DEV AND TO OPS.
  • 42. @WICKETT // @ERNESTMUELLER // #LEANSECURITY VISUALIZE SECURITY SO EVERYONE CAN SEE
  • 43. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #4 SECURITY IS ALWAYS TOO LATE
  • 44. @WICKETT // @ERNESTMUELLER // #LEANSECURITY BUILD INTEGRITY IN • “CEASE DEPENDENCE ON MASS INSPECTION TO ACHIEVE QUALITY. IMPROVE THE PROCESS AND BUILD QUALITY INTO THE PRODUCT IN THE FIRST PLACE." — W. EDWARDS DEMING • INTEGRATE INTO CONTINUOUS INTEGRATION AND USE TEST DRIVEN DEVELOPMENT (TDD) TO RECTIFY ISSUES AT THE LOWEST WASTE POINT
  • 45. SOURCE: THE THREE WAYS OF DEVOPS, GENE KIM
  • 46. @WICKETT // @ERNESTMUELLER // #LEANSECURITY NEEDED A WAY TO BE MEAN TO YOUR CODE EARLIER IN THE DEVELOPMENT PROCESS ENTER GAUNTLT…
  • 47. @WICKETT // @ERNESTMUELLER // #LEANSECURITY @slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected." Given When Then What? AN ATTACK LANGUAGE FOR DEVOPS
  • 48. @WICKETT // @ERNESTMUELLER // #LEANSECURITY
  • 49. @WICKETT // @ERNESTMUELLER // #LEANSECURITY
  • 50. @WICKETT // @ERNESTMUELLER // #LEANSECURITY http://theagileadmin.com/2015/06/09/pragmatic-security-and-rugged-devops/
  • 51. @WICKETT // @ERNESTMUELLER // #LEANSECURITY GENERATE SECURITY FEEDBACK IN EACH VALUE STEP
  • 52. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #5 SECURITY IS ALWAYS IN THE WAY
  • 53. @WICKETT // @ERNESTMUELLER // #LEANSECURITY ARE YOU “THAT GUY?” • YOU ALREADY KNOW YOU CAN’T MAKE THINGS SECURE BY YOURSELF • YOU NEED EVERYONE ELSE TO PITCH IN - BUT IT SEEMS LIKE THE THINGS YOU DO JUST ANGER THEM
  • 54. @WICKETT // @ERNESTMUELLER // #LEANSECURITY EMPOWER THE TEAM • UNDERSTAND HUMAN MOTIVATION • NETFLIX AUTOMATION CREATED SAFE PATHS AS THE DEFAULT • REMOVES EMOTIONAL CHARGE
  • 55. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SELF SERVICE AUTOMATION
  • 56. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #6 SECURITY IS PERFECTIONIST AND IS THEREFORE UNREALISTIC
  • 57. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY IS YOUR PRODUCT
  • 58. @WICKETT // @ERNESTMUELLER // #LEANSECURITY BUILD-MEASURE- LEARN • DELIVER MINIMAL VIABLE SECURITY ACROSS EVERYTHING • FOCUS ON DETECTION/METRIC GATHERING • ITERATE FROM THERE • REMEMBER THE WEAKEST LINK WINS • OVERLAP SMALLER SOLUTIONS - SEE JOSH MORE’S OWASP 2012 “LEAN SECURITY 101” PRESENTATION
  • 59. @WICKETT // @ERNESTMUELLER // #LEANSECURITY MANAGE YOUR PRODUCT
  • 60. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WE’VE BEEN THERE
  • 61. @WICKETT // @ERNESTMUELLER // #LEANSECURITY ERNEST MUELLER JAMES WICKETT @wickett @ernestmueller THEAGILEADMIN.COM

Editor's Notes

  1. Howdy from Austin, Texas. We are James and Ernest and both have worked together doing devops and security and have been friends for the last 12 years. We are both actively involved with DevOps (we run devopsdays austin) and security community and user groups. We blog together at theagileadmin.com.
  2. DevOps changed our life and we and are here to share how the same Lean techniques can improve the effectiveness of your security work. We’re going to go fast, please hold questions till the end.
  3. In the recent 2015 book by Steven Bellovin, “Thinking Security” … we resonated with his opening on the problem statement of the modern security industry.
  4. this might be how you feel…. well lets get to some solutions.
  5. To talk about Lean, we also want to talk about Agile and DevOps because they’re closely interrelated.
  6. Most of you probably have an understanding of Agile. You have seen it done right, seen it done wrong… There’s a lot more to it, but this is the core manifesto.
  7. Agile has become widespread and has clear benefits to software development in organizations.
  8. Next, DevOps!
  9. “DevOps is the application of Agile methodology to system administration” - The Practice of Cloud System Administration Book
  10. 75% of tech pros know about DevOps, only 21% of those familiar with it are using it, though another 21% say they expect their organizations to adopt DevOps principles within a year. - InformationWeek 2014 survey
  11. As we saw earlier in Nicole’s presentation, companies are getting real ORDERS OF MAGNITUDE value out of devops, if you believe this is just another buzz word then you are either not seeing the benefits the rest of the industry is seeing (which you should say why am I not?) or perhaps you built a devops team or just re-siloed people.
  12. And that brings us to Lean. Lean as applied to Software is somewhat of a renaissance and a reminder to look back to what came before us.
  13. What is Lean? Lean started off by revolutionizing the world of manufacturing (W. Edwards Deming, Toyota Production System) but since then it has been adapted to software development. Its practices include value stream mapping, waste, pull, queueing theory, human motivation, measurement and visualization of metrics, TDD… We’ll go over many of these in the context of improving security work later in the presentation.
  14. Eric Ries also applied lean principles to product development in his book Lean Startup, which characterizes the core loop inside the product development cycle as “Build – Measure – Learn.” Lean is about bringing your effort onto the item with the highest leverage at any given time.
  15. The Puppet State of DevOps Report says: “One can describe DevOps as the pattern that emerges when you apply these same lean principles to technology.” Lean product, lean software, agile, and devops all come together into a single mutually reinforcing picture for a technology organization.
  16. If you look at every new innovation, whether it’s Lean, devops, cloud, social mobile, etc. as simply a “threat” to security then you’ve adopted a losing mindset out of the gate.
  17. Every single field has to innovate to stay relevant, and InfoSec doesn’t get a pass on that.
  18. We’ll now examine common challenges faced by InfoSec organizations and explain how you might be able to bring Lean to bear on implementing security more effectively in your organization. We explore 6 problems and hopefully provide some non-tautological solutions.
  19. Each one of these is a perception you have probably heard from someone at some point. While these are not all fair, they are also not completely random and unfounded. The first is that you’re just there to check boxes and don’t do much to make the apps and systems really more secure.
  20. In his book on browser security, Michael Zalewski (@lmcamtuf) has a great intro covering the history of information security and he poignantly notes that we decided risk management was able to fill the development and operations gaps we experienced. We became experts of structured inadequacy and wrapping problems with policies and “Accept the risk” statements. This is not value creation.
  21. Do you know what value you are providing and where? In Lean, you map out the value stream of your organization to determine what the steps are between the initiation of a process and delivering it to the customer (concept to cash, in Lean Software terms). What are the value creation steps you provide?
  22. Agile/DevOps/Lean all teach us that your value is custom to your organization. Whatever stock answers you got taught in Security School are not necessarily the value your customers want out of you.
  23. The second complaint is that security is just a bottleneck to getting “the real work done.”
  24. Fortune Magazine just a few weeks reported that the average time to deliver Corporate IT Projects has increased from ~8.5 months to over 10 months in the last 5 years.
  25. Security has resulted in a proliferation of new work that, if badly coordinated, slows everything elsedown. Luckily the theory of constraints is what Lean is all about!
  26. Lean focuses a lot on the identification and removal of waste; it’s the very first principle. In today’s business environment time is a critical resource, and to be honest, Security is often guilty of squandering it. If you provide more waste that value you are a net negative to your organization.
  27. The seven forms of muda can be seen in security operations frequently. These are a couple security-centric examples, but the takeaway is to analyze what you’re doing and identify the areas of waste in it.
  28. Your net value to the organization is the value you create minus the waste that you generate.
  29. People are tempted to see security as a solution in search of a problem when they don’t see how it fits in to everything.
  30. Security is everyone’s job, right?
  31. In Operations, Performance used to be invisible and we would say performance was everyone’s job… Then we did something about it. I like to say that Security has a lot of corollaries to performance problems 5-10 years ago.
  32. To help people actually see and address the problems, performance experts focused on visualizing performance metrics directly in context to workers
  33. We could do the same thing with security…
  34. The more you can create fast feedback loops which detect and remediate security problems continually as part of your customers’ normal work process, the less waste you generate.
  35. I wanted to find a way to be mean to your code in the development process. I knew that attack tooling had to move upstream.
  36. You know - not just a bottleneck due to constraints, but actively messing with us.
  37. Adrian Cockroft from Netflix claimed they had “No process” at AppSec one year. What he really meant is that they have made doing the right thing a part of the systems everyone uses, so the perception is that there’s no process.
  38. Security is a product, like any other. And all products have to make tradeoffs about what they will do and what they won’t do.
  39. If you listen to some folks you can’t “do security” without a $1.2M budget to get the six or seven huge products you need, and that’s the way to achieve perfection. But these tools are not only maybe not a good fit for your needs, but take a lot of time to implement. Rather than add additional waste via long analysis cycles, implement something small and fast, analyze results, and iterate. Often layers of a couple imperfect items yields better security than one “perfect” item.
  40. The whole reason there’s a DevOps track at this conference is that not too many years ago we were in the same situation and had all the exact same criticisms leveled at us. Operations was the at-best-invisible, beancounting bottleneck that was always a day late and a dollar short. But these time-tested principles has helped our entire industry begin to innovate its way out of that rut. Check them out and see if they can help you in the same way.
  41. Thanks for your time! You can find more of our thoughts at theagileadmin.com and we’re both here with companies working on solutions that we think are aligned with this vision of the future of security work.