Tanya Janca - Security Learns to Sprint: DevSecOps
Show transcript [en]
start my slideshow please let me know if for any reason you can't see the things that i am trying to show you do my slides look okay i'm gonna assume that's a yes okay so this talk is called security learns to sprint and it is all about devsecops things are changing and industry is changing and that means us security folks are changing and so this talk's going to explain what is devops what is devsecops things we can do so that we are going along with all the nice devops teams and people and processes but still make sure that there's secure software at the end let's do this okay so i'm tanya janka and the purpose of the about me slide
i'm not sure if you knew this it's to show you that we are qualified to give our own talk i know it sounds really silly but i didn't understand like why are they telling me their resume i remember thinking like the audience doesn't care what i do for a living and they're like actually they do so um i founded my own startup company which is really exciting we're called we hack purple and we train people how to create secure software and how to be appsec engineers and i'm so excited um i'm known as she hacks purple and yes some of my hair is purple i'm a purple teamer which means i do red offense and blue defense and so people just
started teasing me that i couldn't make up my mind and so that i was purple team um i wrote my first book alice and bob learn application security and it ships october 27th and i'm so excited um i've worked in tech a really long time i started a community and an international nonprofit called wosek with a bunch of really amazing women um i am super into owasp and basically like i'm a nerd on the internet all the time so yeah there's like a lot of me everywhere uh all the things are me uh i used to make music so if you look on spotify or places like that that's me too so i hope you're you think okay so tanya
seems good let's keep watching yes let's begin the talk okay so we are going to talk today about how security is part of everybody's job it's literally part of everybody's job for people that write code it's your job to write the most secure code that you know how to write if you are designing applications or networks it's your job to design the most secure design you can if you are performing operations and supporting things it's your job to harden all those systems and protect them as best you can and so security is a part of everyone's job and usually i like to ask everyone so you know who supports apps who works in i.t who does this who does that who
does security and then i make everyone put up their hand but since it's virtual i hope you realize that security is a part of your job whether it's in your job description or not we're also going to talk about what devops is and how we do it um and we're going to talk about security becoming a part of devops which makes for devsec ops yes that's the best kind okay so let's start with devops um okay so this is the most famous security slide about devops by pete schedlock so he's awesome he may have been being sarcastic but you can see the security person cleaning up uh the mess left by the amazing unicorn pony pegasus of devops
and a lot of security people used to see devops like this however this is how i see devops so my friend francois renault from devsecond made this and i love it and so this is us teaching the magical devops people this is us giving tools and training and assistance and enabling the devops teams to do their job securely to create systems that are secure this is the way i view devops and i'm not kidding i i really think this but that's what we're going to talk about today these things and more kind of hands-on stuff that we can do but i'm going to start with a couple definitions this cloud is this the slide is so loud that yellow is
really intense we should make a poll in hopkins that's like is the yellow too intense should tonya remove the yellow from the slide um i just added it it was orange and i felt the orange wasn't loud enough anyway okay so i'm going to define a few things for you i know that some of you are probably thinking oh i already know this stuff but just remember there's people in the audience who don't know this stuff and that i'm defining it for them so please have patience for two minutes of definitions so the first definition is what is application security and why does tanya keep saying absec it's because i say application security 100 times a day
when i teach and it's just too long so appsec is every and any activity that you perform to try to ensure your software is secure so that could mean it could mean literally anything it could be a formal program so an application security program to turn your system development life cycle into a secure system development life cycle it could be you hiring a penetration tester to come in and do some tests or an expert to come and review your code and do a static code analysis of all of your your stuff or it could be that one of your software developers heard a podcast and it turns out you know one of the third-party frameworks that they're
using has a problem in it and they want to upgrade off of that version to make sure you know that they're not insecure and so they do that and you don't even have to have the security team involved to be fighting the good fight which is to try to secure software application security is a problem um according to the verizon breach report it causes the most data breaches every year um i've only been checking this specifically since 2016 but they did a halfway through 2020 report and unfortunately we won that honor of being first again and if you look at this chart point of sales is the second one and point of sales is when people skim
credit cards and so that's a physical attack but if you look at the rest of the online attacks um it's actually still we're just winning by such a landslide and i want us to lose this uh competition i want us to not be the number one cause and i don't want that to be because other things get worse i want to be because we get better um also security's just it's not being taught in schools like in universities they might cover web app hacking a little bit but it is very very rare that they cover application security as a whole and that they teach it thoroughly um you couldn't imagine someone going to trade school and learning
to become electrician and having them just not teach them how to ensure what they're doing is safe and just having houses burned down all the time and saying well it doesn't happen that often oh well because that's what we're doing in computer science and software engineering and it's just it's so not acceptable this is actually why i wrote the book because i'm trying to adopt it into a course for universities so if you work at a university please reach out because i want this to not i want this slide i want to delete it because it's not true anymore okay so security is outnumbered you see her that's me every place where i did abstech full-time it's usually just me
there's like no team helping me or maybe there's like one or two people and they are running an automated scanner but i am the person that actually knows all the app tech and doing everything and look how lonely she looks in the data center cold and alone um that's the closest photo i could get to like one of me so dev's tech hops so there are approximately they say an industry 100 developers for every 10 operations people for every one security person but that's every type of security that's not appsack usually i've worked and there's two three 400 developers and me one place i worked there were 4 000 developers and me this was so hard
because they all wanted help and they all needed help they like their requests were genuine um i had them writing me on linkedin and twitter to try to talk to me because i just couldn't answer my emails i would just like scroll off the screen constantly and you can't work harder at that point you just have to work smarter and so my friend made this image for me because the waterfall method of developing software really stinks it's good for physical things because you can't keep releasing new new versions of a physical item you can't release release a new version of a building but for software waterfall didn't work well and the accompanying image did not work well either and i remember
working somewhere and they had a very long release cycle and it's very stressed out and i was calling waterfall water fail and my friend made me this image he's like look it's dinosaurs all happy frolicking in the waterfall no okay so what is devsecops that's what you're thinking you're like that's what i came to hear tonya okay so i asked this question to my friend imran mohammed and he is the founder of practical devsecops and they might be my company's competitors but we're besties and i don't care he's awesome and so he told me he's like it's what we've always done tanya we keep doing appsec but we work in a devops environment so we just change the way our do we do
our jobs you know we don't want to break their processes if they're sprinting we're sprinting if they're using a pipeline we want some time in that pipeline he's like we still have the same goals we just get to them in a different way and that is devsecops it's what we as application security professionals do in a devops environment and i was like you're a brilliant dude we should be friends true story um okay so the three ways of devops so again you might know this but a bunch of the audience doesn't know and that's why i'm telling them so there are three ways of devops things that you must do in order to be doing devops so the first
is you must emphasize the efficiency of the entire system so we want to go fast but not just our part so sometimes this means rolling up your sleeves and fixing bugs security bugs with software developers sometimes this means breaking our activities into smaller pieces there's all sorts of ways but we need to increase the efficiency of the entire system not just our part the second way of devops is fast feedback and i just put fast feedback but it's really fast accurate feedback to the person who actually needs it and so there's no point in getting really fast feedback into a system and a dashboard that no one checks there's no point in getting really fast
feedback that's super inaccurate so we're going to talk about that and continuous learning this means taking time to improve your daily work this means risk taking safe experiments it means exerting effort to make sure that our security results are better faster more amazing and learning new things so these are the three ways of devops so if you buy a pipeline you're doing part of devops but there's so much more okay so let's look at each of the goals of devops so there's business goals it turns out that just because all of us nerds with hands-on keyboards want to do devops does not mean the business is okay with doing devops they agree to do devops because of the three
main goals that are achieved by devops so the first one is employed is improved deployment frequency so they said you know we want to be able to release you know cool new features or fix things faster and so when i saw this i thought oh so you can fix my emergency security right now this is awesome so i liked this when i heard it and then the next goal of devops is lower failure rates when i saw this i was like oh i love this so people in devops will say yeah resiliency we want to make really rugged apps and i i love that because of this the cia triad confidentiality integrity and availability that's right folks
the devops people love one of the cia triad just like we do and so when we look at this and they talk about resiliency what i see is the a in the cia means my apps are always available so that means that they are working really hard one of their main goals is to serve one of my main goals so i think devops is awesome and the last main goal that devops teams have is faster time to market and i know that some security people might think how does that relate to us we don't have jobs if we're out of business i have worked with many security folk where they forget it's our job to enable everyone else in
the business to do their jobs securely and it is my firm belief that the security team cannot win if the business is not also winning i mean if there's a bad marketing campaign that flops obviously that's not our fault however we're not winning if the business is not also winning and so faster time to market is a giant win and faster time to market with a really secure product is fantastic and so i love devops i think devops is awesome and so i'm quoting myself again because no one else would say this for me so i had to quote myself so devops is the best thing to happen to application security since osp and since i'm an oas project
leader and chapter leader clearly i love this community and so that is the biggest compliment i could possibly pay to anyone in the application security field and so i think devops is awesome and i hope that by the end of this talk you do too okay so now i want to go over the three ways again yes that's right it turns out if you are going to learn something that's brand new and abstract and complex that you need to repeat it three times so this is time number two so the three ways of devops are emphasize the speed of the entire system not just your part fast feedback that is accurate and gets to the right
person or people and continuous learning experimentation taking time to improve your daily work so let's figure out for the rest of the talk actionable items that we can do that supports each of the three ways yes that is literally what the rest of the talk is about except for the last two minutes where i'm just gonna give you a whole bunch of resources okay so emphasize the speed of the entire system left to right that's us obviously i had to make an amazing diagram for you right this is the system development life cycle even if you're doing devops you still need a list of requirements of what you're building you still need to actually design and
plan out what you're going to build you still need to code that's the fun part we still test and then we release and release and release and release and so we want to add security to all of these okay what does this mean for dab and ops it means we need their help tuning our tools because we don't want to be giving bad quality feedback doesn't matter if it's fast if it's totally inaccurate we want them to reuse known good code so if we've tested something really thoroughly in one app maybe they could reuse that code in another app ah we want them to always use up-to-date images always always always always always always um if we create an asynchronous security
pipeline which i will explain in a little bit we need them to use it we need their help to make negative unit tests and again i'm going to explain what that is and we need them to adopt the mantra that a severe security bug breaks the build every time because security is a part of quality and you cannot have a high quality piece of software that someone like me can hack into in five minutes that's not high quality so this is the first of seven photo slides so i call this the photo slide because you might want to take a screenshot and so there's going to be seven of these and this is the first
one and i know i went over this really quickly but because it's b sides i know that i am with a security a security knowledgeable audience and therefore i'm going to dive deeper and more in depth to all the things that are the responsibility of the security team rather than the dev and ops team i'm going to quickly just slip out of this so that i can make sure that there are no comments from the organizer team because i can't see their comments in hop-in and then i'm going to start this again in one second because i just want to make sure everything's okay everything looks good they're not trying to reach me awesome and now i'm going to
go back to the slideshow i just want to make sure i'm on time doing a good job okay so what else what does this mean for the security team so the main most important thing if you take away only one single thing from this talk is we can't make devnops wait on us forever we just can't that's not acceptable anymore we cannot be the threat to availability so no more us being the bottleneck so we need to make processes that actually work and if we keep doing things and we keep doing things and we are the bottleneck either we need more staff or we need to do things a different way and it is so
important it is so important that we adjust our mindset we cannot just throw up a gate and stop everything no one's going to tolerate that from us in a devops environment and so if they are doing their work in sprints we should break up our work into sprints we need to focus on we are equal to their value stream we are not more important and so we have to work really hard with them to make sure that we are not a constant bottleneck okay so what does this mean sometimes we have to break up our activities into smaller pieces if they do their work in three-week sprints we need to figure out how to fit some of
our work into a three-week sprint there's lots of different ways we can do that like if we're doing a static application security testing exercise we can just test part of the app or we test the whole thing and validate the results all during one sprint and then put all the results into the bug tracker so it's ready for the following sprint um it means that basically we need to get on board with them and we need to make sure that we don't so in devops they'll say pull the andon cord which means you know in an entire physical manufacturing line stopping the line for everyone in the whole factory so we can't break the build
which is very similar to pulling the and on cord unless it's a true emergency so this is another very important thing that we need to take home with us and so yes there's a whole bunch of things that we can do so we need to tune our tools thoroughly so that there are no false positives that we are sending them so this might mean you know if you're using a sas tool then you don't put it in the pipeline you manually validate all the results and then you put those results into their bug tracker this might mean that you use an i asked tool instead of a sas tool because although it finds less results the results are more accurate
there's a lot of different things that you can do um one thing that i've i've seen that is super cool is there's a team where and i can't tell you where but they run so they do continuous scanning of everything and they validate those results and then they put it into an api and so every build calls out to the api and all it says is your most recent scan was good or bad like you failed or passed your most recent scan so if they fail it breaks the build and those bugs are already in their bug tracker and they already know which ones they have to go fix and so yes it's not scanning in the pipeline
it's asynchronous or it's out of band however that's awesome so within like a few hours the build is breaking and this is good because it's immediate feedback the fastest they could get it to them and so another thing we can do is we can provide code samples that are secure or we can test with them and ensure that they provide them i like to call it a secure coding library so i'm a big fan of a secure coding library and the idea of it is that you work with the developers so you do not run up as a security person and then put your hands in the code library it is like a woman's purse i kid you not
you do not touch that without her permission so it is their code library it's not ours so you talk with them and elect one of them the secure coding librarian and that person cares for those code samples and helps to make sure they actually get reused and so this is an activity i've done before and had really good results with it saved a lot of time and then we would just security test our template over and over again and then if something new was found we would push it out to all of our apps it was great super that's what you do when you have less money for for your your dev budget okay so
another thing is so i talked about this briefly so sometimes it's called a security pipeline sometimes it's called an asynchronous pipeline or parallel pipeline but when we in devops talk about the pipeline or app pipeline almost everyone is actually meaning to say a release pipeline so it releases to the dev environment the qa the uat staging and then it releases to the prod environment however you don't have to release the prod and you don't have to have one pipeline so you can actually i remember doing a demo once and i had four pipelines that would all run at the same time because obviously who doesn't want more of a good thing and so one of them
would create all the infrastructure and the other one was putting stuff on and then one was just like torturing it with tests and so you can make a security pipeline or an asynchronous or parallel pipeline that does all of your long tests and it kicks off only let's say when a major revision happens so you know we're at 4.1 and we go to 4.2 and then that triggers it to run and all your slow tests run and then it doesn't break a build it doesn't stop people from releasing it just gives us all those automated tests and then a security person goes in validates them and puts that into the bug tracker this is beautiful because
it's still automatically running your test for you and it's not slowing anyone else down you're working within their processes and then you are getting them results just later and then just put your super secret very important types of tests really critical into the actual release pipeline so i scan for secrets in a pipeline every time if something looks like it a secret break the build and i like to scan for software composition analysis because it's a really fast check and i want to know if you put a new plug-in and that's dangerous um the one last thing that i'm going to say on this slide is that buy licenses for these tools if you expect them to be in
the pipeline if you expect them to go and pay for those you might not get happy news okay what else does this mean for security this does not mean doing 100 of the work yourself it means making it possible for dev and ops to perform security as part of their daily work sometimes it means writing your own tools netflix is really well known for writing tools and then open sourcing them and sharing them with the industry and community which i thought was really cool but you don't have to write your own tools necessarily it's when one doesn't already exist that does the thing that you really need the point of the slide is to enable
devon ops every single way that you can see how she's using a phone and a computer she's using two devices to enable the dev and ops people that's probably not what she was doing but that's okay so um please take a screenshot of this slide if you are planning on doing it and please be creative when you are helping them in any way you can and remember that you need to emphasize the speed of the entire system so if you are adding in stuff that is slowing other groups down you need to figure out how you can do better for them and do the best that you can for them this doesn't mean you're never
allowed to slow anyone down ever it means you need to do make sure you do that the least often as possible fast feedback so this is right to left but i like to think of this as pushing security left or shifting left starting security earlier i want security in every phase of the system development life cycle but don't believe me believe the ponemon institute so they did some research on this and they saw that basically uh what software developers have known forever the later you fix a security or any type of bug or flaw so a design flaw is something in the design and a bug is something in the implementation and it is exponentially more expensive
to fix things later and this doesn't include if you have a security incident or a data breach because that number would be through the roof so it is really really important that we do these things as fast as possible so what does this mean for devon ops means providing feedback to the security team we need their feedback they are literally the key stakeholders in this so we need to know hear from them and then we need to actually listen and take action and if we have security activities we need them to participate these are the main things that we need from devon ops and it's we really need those things we need buy-in we need buy-in that's what we need okay
so other things that this means for us the security team um so we need to provide feedback earlier so we cannot just hire a pen tester to come in at the very end right um that is a thing that i used to be a pen tester and i would be invited at the end and then as soon as i started consulting and got to control some of this stuff i started showing up earlier way earlier and saying like let me wait for the design with you can i do this with you and that with you and i would give them like a report then and then they would fix all those things and then i would come
in at the end and then like really you know do a lot of stuff but the point is is that then that there would be way less things at the end their app would be way more secure because they can't fix all the things that i find you know two days before they release so this is very important this is the number one thing in way two give them feedback sooner oh and it also means no more false positives you cannot deliver results from an automated tool directly to those teams unless you've tuned that tool and especially if you've validated those results it's really important okay so what else does this mean we need to listen to feedback so if they
tell us like oh your new tool is awful we need to listen because guess what developers and ops folks are really really smart and you know what they'll do they'll turn it off that's right folks they'll just turn off all the security tests because they know how to do that and they're adults and they have crap to do they have deadlines to meet and if our tools are really not working they'll just turn them off while we're not looking and so we need to ask them how it's going and then we need to listen to their feedback and then we need to fix things that are not working for them it's very very important okay um if you want to hear a really
awesome story about listening to feedback you should look up netflix repo kid they made something called repo man and then they turned it into something called repo kid because of the feedback they got from their teams they listened and adjusted and came up with a way better results for everyone for the security team as well okay i'm gonna just check in with organizers again and there's nothing in the chat for me so i guess everything's awesome and that makes me happy um if the presenters could put something into i'm going to assume i'm supposed to stop at 10 15 or at quarter after the hour if i have more time that's good to know okay
so what does this mean for security so everywhere people are making unit tests and actually let me let me hide this because i know you're all reading it so unit tests are tests that software developers write and they check it in with their code and they test the smallest possible units of code to make sure it does what it's supposed to do so unit tests are positive tests they test the things you should do what they're supposed to do if stuff fails then they don't check that code in and they don't push it into the release pipeline so this is really far left negative unit tests ensures that your application gracefully fails this is where we come in we want
negative unit tests so we can work with our security champions if we have them or we can work directly with all the developers which will be a lot more work and we can help make negative unit tests that they check in alongside their code and that they run every single time before their code goes anywhere into that pipeline and so we can add tests for cross-site scripting we can add tests for injection all sorts of cool stuff that gets run automatically every time and you know what this is this is regression testing so every time a developer makes a new change or adds a new feature they run all of these tests to make sure
they didn't break any of the original things and if one of those tests fails they know they have to fix something and this means we get regression testing of security and this is awesome the first time i heard this my friend morgan roman gave this talk and i was like this dude's awesome i have to be his friend so amazing it is very good value for your time so other things we need to invite dev and ops to participate in security activities so if there's a security incident first of all we should be telling them what we need from them and we should be inviting them if it involves their app threat modeling dev and ops have the
most evil ideas of how they could hack their apps you definitely want them in threat modeling sessions security sprints yes that's right if you can figure out how to get the project manager to add a sprint that's a two or three week amount of time in a project schedule for security oh that is a beautiful thing we cannot just add a giant secure code review in the middle of a project and then expect them to still meet their deadlines we need time the project schedule yes that's right and then we need to make sure that dev and ops know this is not a time to fix other bugs and ignore the security team we have to plan activities with them
okay so another thing this means is so i am obsessed with metrics and data i always want to be the best and you need to measure in order to know that you're on the right track and improve yourself and how can i be the best if i'm not measuring right and so i like to put all of my results into some sort of vulnerability management system so there's a free one from oauth that is open source called defect dojo but then there's also paid ones so there's one from the denim group and it's called thread fix and then there's i believe white source just started creating one i haven't seen it yet but i know their
other software is awesome so it's probably also awesome but the point is is to put all of this information from all of your tools into the same place and look for patterns look for um like trends you can definitely do better if you can actually measure where you're at um and so you could do this in microsoft excel even if you want to but the point is is you need to use these metrics and then you want to share these metrics with dev and ops you want to tell them like listen we're seeing this from this team or we're seeing this type of result when this happens etc help them do better by sharing your data
also you know if you're already making unit tests if you have a security assessment done or a pen test done a penetration test you can take those results and turn those into unit tests to make sure that those things don't come back and you can take those results and look at most of your other apps and you probably have those problems there too i used to work somewhere and we would only have enough money for one pen test a year and i would take those results and apply them everywhere because i wanted to get the most value i could out of that engagement and so now we are on photo slide number five and we are very close to the
end because i think i have until 10 15 and then we will do questions after so please put questions in the chat for me because i love questions and if i don't have time to answer them you know while i'm doing my video and while i'm in my question period i'll just answer after in the chat it's cool let me know okay so next the third way of devops continuous learning i like to think of this as full circle so you need to allocate time to improve your daily work which means learning cool new things which means doing experiments and risk taking which means learning from those things which means improving your processes which means doing better
and better and better and ends up being a circle of awesome um this also means creating rituals that reward these activities so if someone finished a university course part-time on their own i think you should tell the whole team like look at so and so alice is so awesome or bob's team had a pen test done and the person couldn't find any highs or criticals look at how awesome bob's team is i'm a big fan of positive reinforcement because i totally live for compliments okay so what does this mean for devon ops if we give them security training if we offer it we really need them to show up this means devon ops could actually
train themselves um so i have had a lot of software developers that take my courses in training because their security team isn't supporting them the way they want and they want to be awesome and i'm like great you're all of you all of you are welcome come on down it means that they should share information widely when they fix a security issue because if that security issue is in one app it might be in a whole bunch of apps it means that if we are doing security simulations or exercises or other security activities we need them to follow and participate and it means that we need them to be on board for our policies so i like to gasp
talk to other teams when i am going to create a policy yeah that's right i'll actually take a secure coding guideline and then go talk to all the developers and ask them their opinions and then change it based on feedback yeah that's right so then when it comes out most of the people have already seen it it's not a surprise um you might have remembered this in canadian politics when ryan mulrooney was in charge of the budget and he just kept sharing information about the budget for months leading up to when he presented the budget so the way they used to do it is they would just present the budget and then everyone ever all the parties would freak out and
be pissed off all the different you know government departments everyone would always be pissed so what he did is he like went and got feedback from everyone and shared it and so when he presented it everyone had already seen it and so it was like our first budget ever that just got approved um and so i follow his lead and do that and it works really well trust me so what does this mean for the security team because that's what we want to learn about so we need to share information widely if there is a serious security incident once it is cleaned up if you have a lunch and learn and tell everyone what happened
you better believe it you're going to get a bunch of software developers and operations people on board with you i did that somewhere where i used to work my manager shared all the information and i was dead set against it i was like we can't show our dirty laundry they'll know we're not perfect that's bad but i was wrong and he was ray and it was such a great idea and it got everyone on board also i believe that we should share our data so if i don't mean that we should share you know like a recipe of how to hack us but i think we should share you know we have lots of problems with cross-site
scripting or it would appear that we have an organizational wide allergy to security headers and we need to talk because it helps it helps when you share share information that you can share and security is so good at keeping secrets and keeping things confidential we forget when we're supposed to share information and our industry is really not awesome at that and so please try to remember to share information that can help other teams it also means so i used to work at elections canada and i was the cso for the first time that we um elected trudeau and so that was in 2015. that was a lot of work um we weren't in the newspaper for
security problems and that's all i can really tell you but obviously like that's pretty awesome um and so the elections canada for 100 years they run a fake election before every real election so they'll build out a returning office they build the network they install the apps they have people pretend to vote and then we do this for a day and we throw security incidents in and all sorts of problems and we test out all of our processes yeah that's right and you can find all sorts of interesting flaws and so we do that like six eight months before the election and then we fix everything and so then when the actual election happens you might notice
that things tend to go well compared to a lot of other countries and that's because we practiced for the the well i was gonna say the big day but now there's many days when you can vote because they figured out that's what canadians want and so running a simulation is amazing and i used to work um you know for the government for a very long time they also run exercises security exercises so that is a few days where they have us manage incidents and practice and they're so creative it's super fun if you can ever get invited you should go and they have like fake news um like fake news casts like this happened to
this and oh no and like they let you come up with threats they let you come up with defenses it was just it's so fun and so i learned so much and so security exercises and simulations those are a great way for you to find out your problems and fix them before the real thing happens and then when i actually had a security incident once that we solved in 14 minutes and that was because of training i was so impressed with my team i went up and i briefed the executives wrote them the media note and came back down in 14 minutes and i just walked around and just high-fived them and told them like you
are the most amazing team i've ever worked with because that is fast wow okay so here's the book please take a photo slide um one of the things of experimentation that uh is a story i don't have time to tell but netflix made another open source tool called chaos monkey where essentially it was an experiment and gosh darn it worked and if you look in your favorite search engine for that story it's really good i'm friends with some of the people on the netflix uh absec team and i admire a lot of the work that they're doing and i admire even more how they're sharing this with the industry because they make movies yo they don't need to share this they're
not like getting anything out of it they're just trying to make the world a more secure place and i really applaud that what else does this mean for security so the most important thing in continuous learning of all these things okay so one of the most important things is performing blameless postmortems we cannot say alice is the worst bob it's all his fault that breaks trust between teams and it actually doesn't help at all because it's not alice or bob's fault it's almost always a safeguard was missing a policy didn't work a process was broken when we fix those things we make sure these problems don't happen again oh was bob never given training on this tool he was expected to
use every day maybe it was that oh was alice given 5 000 things to do in a very short period of time so she could never possibly have done all of them maybe that was a problem and we need to in order to have a blameless postmortem it means we need to actually have a post-mortem event and talk about security incidents when they're over and do our best to make sure they never happen again and so you must hold a post-mortem event after every serious security incident it also means teaching developers and operations people what the output means from security tools you can't just send them the automated report from a sas tool and not validate it and not explain what
it means and send them like a 1 000 page report full of potential bugs that's basically like giving them the middle finger it's not helpful it's very rude and so we need to teach them we need to also put all this information in a knowledge base to make sure that everyone has access to it i'm a huge fan of knowledge bases and of course obviously i have a story about that but i don't have time i'm also a fan of creating lessons about different opportunities so you can give the lessons at lunch you can write a white paper if you really feel like it wait papers are hard to write as an fyi you can create you know hire someone
come in to do formal training you can have job shadowing but the first time i gave a presentation i was totally scared i was very very nervous and now i'm awesome at it and you'll probably never get to the point where you're totally excited to present for two or three thousand people in a room and that's okay but if you talk from the heart you explain to them what happened you share as much information as you are allowed to share i assure you they will care they will listen and they will act differently from then on so teach them what they need to know to do their jobs okay so this is the last of
the picture slides and i just have a couple of brief things to say about culture change because if we want all these things to happen we need our culture to change so we are on board with devops you can't just buy a pipeline piece of software and then put one of your apps through it and say we're doing devops you must do all three ways or you are not doing all of devops and that means you're not getting all of the amazing benefits and trust me the benefits don't end they're awesome okay so security needs to become a part of devops so how do we do that culture change so celebrate when there is a win
people only are used to seeing the security team when something bad happened i don't want them to be like oh no tanya's coming quick hide i don't want that i don't want them to see me and go oh what have i done i don't want that reaction i want to show up with donuts or a gluten-free alternative or fresh fruit or whatever the thing is that you do in your office and say this is a gift for you from the security team because you passed your pen test i want to go and give high fives when they get past my scanners i want to positively reinforce every single thing oh you made it through the security pipeline
you're amazing i'm going to send an email and tell everyone how awesome you are i really really want positive reinforcement i've seen too many security teams that just slap hands all day long and that doesn't create the environment you want where people trust you and come talk to you i realize this slide is scary when i watch tv now if i see a person walk up to another person i'm like no call me they're not wearing a mask so you're probably thinking oh no they're so close but we really need to work more closely with dev and ops and by this i mean virtually because safety first but we really we need to spend time with them like show
up to their meetings sometimes show them support help them if they're going to whiteboard a design join them right become their if you can become their friend that at least become their acquaintance it's really important they know your name if they don't know your name if none of the developers know your name and you work in appsec you're doing something wrong no more blaming yeah that's right i'm saying this twice because it's important and i actually made this mistake really badly once and it took me months to recover from it i totally i even raised my voice a little which i like never do and gave someone holy hell and it was not cool took a long time to rebuild that
relationship and that trust i am a huge fan of security champions if you do not have a security champion program you should totally consider one they are essentially the most awesome humans on each of the teams and they champion your cause of security and you teach them and you enable them give them tools buy them cool books so many things and they just they help you get your mandate done so i have a call to action now and then i'm gonna give you the resources and i hope i guess i'm gonna go one or two minutes over time and i hope that's okay they can interrupt me if it's not but i want to do a call to action to you
who's watching so you i mean you right there if you see me you're probably like oh she's not i'm talking to you i want to give you a call to action and i'm very serious about this it is security's job to enable dev and ops to do their jobs securely and so i want to raise your right hand i'm not kidding right i can see some of you raise your right hand no one has to see you seriously raise it up i'm waiting for that last guy okay it is my job repeat after me it is my job to enable dev and ops to do their jobs securely thank you i read a study that if you
make people promise to do something they're 80 more likely to do it so i'm hoping that 99 of you adopt this as a model it's our job to enable to teach to automate to give them feedback to do every single thing within our power for them to create secure software and secure systems and secure our data and so if we remember it's our job to enable them we can do better thank you thank you for going along with me i know that sometimes i'm a little much but thank you now for some resources first the open web application security project because of kovid one awesome thing is lots of chapters are now meeting online and having virtual events
i am part of obas victoria and we have partnered with owasp vancouver who are much older and wiser than us as a chapter and we are coming together to create a wasp cascadia yes cascadia means west coast and we are having october third a full day of free training workshops talks and it's all absent all day please join us and awesome books i love these books all these books are about devops except mine that just has part of it about devops alice and bob learn application security obviously i had to list my own books and the list of awesome books but all of these books are amazing trust me the unicorn project is the newest one
of these books and i love that book i want to be maxine when i grow up if you are a woman and i mean that in every definition wosek wants to meet you and be your new friend we don't have a chapter in edmonton but if someone wants to start one let me know we have chapters in halifax ottawa montreal vancouver victoria and then well we have 34 chapters around the world um but if you want to make lots of new friends we are holding meetups online this saturday my meetup is hanging out online and we do this every month and if you want to meet cool women that work in your field we would love to meet you
every monday for years now has been cyber mentoring monday if you have worked in infosec for two or more years i deem you qualified to be a professional mentor if you want to learn more about the topic or switch fields or you know branch out into something new i suggest you get a professional mentor i feel blessed to have the professional mentors that i have had throughout my career and that i have right now and in turn i mentor several other people this is how we make our industry more awesome this is how we bridge the resource gap this is how we let new people know this is the industry for them we welcome them
so please check out this hashtag on twitter every monday it might seem like it's quiet sometimes but that's because it's like an iceberg most of it is actually in direct messages so answer someone you'll make their whole year trust me and resources me i am on the internet i now actually have my own little silly web page um i have a blog and youtube channel and i'm a nerd all the time when my book comes out i will be streaming workshops like little answers um to the end of uh every chapter so there's assignments at the end of every chapter because i am a mean teacher and i make you work hard and so i'm meeting people online for
months after the book comes out to like work through all the exercises together so come come hang out so what did we learn today security is a part of devops and that makes it devsecops yes thank you so so very much for your time and attention today thank
Related talks
43:33
54:03
25:35
5:14:33
24:05
26:43