1 00:00:00,410 --> 00:00:09,230 [Music] 2 00:00:13,519 --> 00:00:16,400 hey everybody it's alyssa miller how are 3 00:00:16,400 --> 00:00:18,160 you guys doing you have made it through 4 00:00:18,160 --> 00:00:21,119 two days of circle city con 5 00:00:21,119 --> 00:00:23,359 it's been a lot of good stuff i hope 6 00:00:23,359 --> 00:00:25,840 you're really enjoying it um here we sit 7 00:00:25,840 --> 00:00:27,359 now we're in the 8 00:00:27,359 --> 00:00:29,359 the uh the final 9 00:00:29,359 --> 00:00:32,000 run here i guess of today's 10 00:00:32,000 --> 00:00:33,760 today's events so 11 00:00:33,760 --> 00:00:36,079 so glad to see you all here so glad you 12 00:00:36,079 --> 00:00:37,840 could be with us thank you for joining 13 00:00:37,840 --> 00:00:40,160 me let's dive in i don't even want to 14 00:00:40,160 --> 00:00:42,160 wait because we're getting happy we're 15 00:00:42,160 --> 00:00:43,600 going to be super happy we're making 16 00:00:43,600 --> 00:00:46,719 devstech ops actually work in our 17 00:00:46,719 --> 00:00:48,320 environments in our organizations 18 00:00:48,320 --> 00:00:50,160 wherever it is that we're developing 19 00:00:50,160 --> 00:00:51,440 software 20 00:00:51,440 --> 00:00:54,000 but before we begin just in case you 21 00:00:54,000 --> 00:00:55,680 don't know who i am 22 00:00:55,680 --> 00:00:57,680 let me introduce myself so like i said 23 00:00:57,680 --> 00:00:59,440 i'm melissa miller first and foremost 24 00:00:59,440 --> 00:01:02,399 i'm a hacker a researcher and a security 25 00:01:02,399 --> 00:01:04,319 advocate now what do i mean by security 26 00:01:04,319 --> 00:01:06,159 advocate means i like to get out and do 27 00:01:06,159 --> 00:01:07,920 stuff just like i'm doing right now talk 28 00:01:07,920 --> 00:01:10,320 to all you share some ideas talk about 29 00:01:10,320 --> 00:01:12,320 problems that we face in security hear 30 00:01:12,320 --> 00:01:14,000 what you're thinking tell you what i'm 31 00:01:14,000 --> 00:01:16,080 thinking or what i found in my research 32 00:01:16,080 --> 00:01:18,000 and see what we can do to get better 33 00:01:18,000 --> 00:01:19,840 that's what it's all about 34 00:01:19,840 --> 00:01:22,240 i am also a be so 35 00:01:22,240 --> 00:01:24,960 hmm what does that mean well we'll talk 36 00:01:24,960 --> 00:01:26,479 about that in a second but i'ma be so 37 00:01:26,479 --> 00:01:28,720 for s p global ratings so if you've 38 00:01:28,720 --> 00:01:31,119 heard of standard and poor yeah that's 39 00:01:31,119 --> 00:01:33,680 that s p so maybe like the s p 500 you 40 00:01:33,680 --> 00:01:35,280 might be familiar with that as well 41 00:01:35,280 --> 00:01:37,119 that's who we are now i said you know 42 00:01:37,119 --> 00:01:39,280 what is the beso business information 43 00:01:39,280 --> 00:01:41,360 security officer i'm not going to go 44 00:01:41,360 --> 00:01:43,360 into details right now but if you want 45 00:01:43,360 --> 00:01:45,200 there's a link i wrote a blog on it when 46 00:01:45,200 --> 00:01:46,720 i got the job because i knew people were 47 00:01:46,720 --> 00:01:49,040 going to ask melissa you you got this 48 00:01:49,040 --> 00:01:51,520 job as a be so what the heck is that 49 00:01:51,520 --> 00:01:53,439 so check it out if you're interested 50 00:01:53,439 --> 00:01:54,560 otherwise just know it's business 51 00:01:54,560 --> 00:01:56,719 information security officer i lead the 52 00:01:56,719 --> 00:02:00,079 security strategy for s p global ratings 53 00:02:00,079 --> 00:02:02,560 now my history in tech 54 00:02:02,560 --> 00:02:04,799 it's it i've been a lot of places 10 55 00:02:04,799 --> 00:02:07,119 years as a developer that's how i got 56 00:02:07,119 --> 00:02:09,679 started and then i spent the last 16 57 00:02:09,679 --> 00:02:12,000 years in security i pivoted from a 58 00:02:12,000 --> 00:02:16,000 development job into a pen testing job 59 00:02:16,000 --> 00:02:18,720 i then became a consultant for a while 60 00:02:18,720 --> 00:02:22,879 and ultimately now i find myself at smp 61 00:02:22,879 --> 00:02:25,360 and then finally i'm an author a blogger 62 00:02:25,360 --> 00:02:27,599 a podcaster i kind of 63 00:02:27,599 --> 00:02:29,040 try to do a lot of different things 64 00:02:29,040 --> 00:02:31,120 again just ways that i can interact with 65 00:02:31,120 --> 00:02:34,319 our community and really exchange ideas 66 00:02:34,319 --> 00:02:36,400 and just again it's all about trying to 67 00:02:36,400 --> 00:02:37,840 make us better 68 00:02:37,840 --> 00:02:40,080 so that's it that's enough about me you 69 00:02:40,080 --> 00:02:42,000 have heard enough let me tell you about 70 00:02:42,000 --> 00:02:44,480 a few other really important people that 71 00:02:44,480 --> 00:02:45,920 are going to be a part of today's 72 00:02:45,920 --> 00:02:48,480 discussion no they're not here with me 73 00:02:48,480 --> 00:02:50,080 but it's important that you know the 74 00:02:50,080 --> 00:02:53,760 history so we're talking devsecops 75 00:02:53,760 --> 00:02:56,239 how many of you actually know the 76 00:02:56,239 --> 00:02:59,280 history of where dev ops and devsecops 77 00:02:59,280 --> 00:03:00,720 came from 78 00:03:00,720 --> 00:03:03,040 not everybody does so let me give you a 79 00:03:03,040 --> 00:03:05,440 quick history lesson so i'm going to 80 00:03:05,440 --> 00:03:08,159 rewind you all the way back to the year 81 00:03:08,159 --> 00:03:10,800 2008 god i can't believe that's actually 82 00:03:10,800 --> 00:03:13,120 13 years ago 83 00:03:13,120 --> 00:03:15,360 wow some of you might not have even been 84 00:03:15,360 --> 00:03:17,680 working in like full-time jobs yet by 85 00:03:17,680 --> 00:03:18,400 then 86 00:03:18,400 --> 00:03:20,959 um and that's great i love it i'm glad 87 00:03:20,959 --> 00:03:22,239 we got new faces but that's why i'm 88 00:03:22,239 --> 00:03:24,959 going to tell you this story so in 2008 89 00:03:24,959 --> 00:03:26,799 this gentleman his name is patrick 90 00:03:26,799 --> 00:03:29,360 dubois he lives in belgium 91 00:03:29,360 --> 00:03:31,760 and he was a software developer among 92 00:03:31,760 --> 00:03:33,599 other things and he was really 93 00:03:33,599 --> 00:03:35,040 frustrated with 94 00:03:35,040 --> 00:03:37,440 just the difficulty that his development 95 00:03:37,440 --> 00:03:40,879 teams had getting software from you know 96 00:03:40,879 --> 00:03:42,799 the conceptual stage and getting it 97 00:03:42,799 --> 00:03:44,959 written and built and tested all the way 98 00:03:44,959 --> 00:03:46,640 through to deployment 99 00:03:46,640 --> 00:03:48,720 and he was looking for a way to make 100 00:03:48,720 --> 00:03:50,879 this easier how could he reduce the 101 00:03:50,879 --> 00:03:53,599 friction between his dev teams and the 102 00:03:53,599 --> 00:03:55,280 operational teams that he had to work 103 00:03:55,280 --> 00:03:58,000 with who were ultimately the ones he had 104 00:03:58,000 --> 00:03:59,760 to satisfy in order to get his software 105 00:03:59,760 --> 00:04:01,280 to production 106 00:04:01,280 --> 00:04:04,879 but he wasn't the only one thinking this 107 00:04:04,879 --> 00:04:06,799 this is andrew schafer 108 00:04:06,799 --> 00:04:08,239 andrew schaffer was thinking some of the 109 00:04:08,239 --> 00:04:11,200 same things back in 2008 in fact i don't 110 00:04:11,200 --> 00:04:12,879 recall the name of the conference but at 111 00:04:12,879 --> 00:04:15,280 a conference they were both going to 112 00:04:15,280 --> 00:04:18,238 andrew schaefer put out an idea for a 113 00:04:18,238 --> 00:04:20,000 birds of a feather session you know 114 00:04:20,000 --> 00:04:21,279 where you get a few people together and 115 00:04:21,279 --> 00:04:23,199 you talk about some idea 116 00:04:23,199 --> 00:04:24,000 and 117 00:04:24,000 --> 00:04:25,680 patrick saw this he thought it was great 118 00:04:25,680 --> 00:04:28,080 he's like okay great i'm i'm i'm gonna 119 00:04:28,080 --> 00:04:29,919 go to this so patrick signed up well 120 00:04:29,919 --> 00:04:31,840 patrick was the only one who signed up 121 00:04:31,840 --> 00:04:33,280 and in fact he was the only one who 122 00:04:33,280 --> 00:04:35,040 showed up because andrew didn't show up 123 00:04:35,040 --> 00:04:37,520 because there was only one person 124 00:04:37,520 --> 00:04:39,280 and so 125 00:04:39,280 --> 00:04:41,360 long story short they ended up meeting 126 00:04:41,360 --> 00:04:43,280 later and 127 00:04:43,280 --> 00:04:45,040 they got to talking about this idea of 128 00:04:45,040 --> 00:04:46,880 how they would unite developers and 129 00:04:46,880 --> 00:04:49,600 operations together break down the walls 130 00:04:49,600 --> 00:04:52,000 make everything happy for everybody so 131 00:04:52,000 --> 00:04:53,840 we could deploy software a whole lot 132 00:04:53,840 --> 00:04:55,600 faster 133 00:04:55,600 --> 00:04:58,240 and from that idea they spawned 134 00:04:58,240 --> 00:05:01,120 devsecop stage or devops days excuse me 135 00:05:01,120 --> 00:05:03,039 which is the first time that we know of 136 00:05:03,039 --> 00:05:06,400 that term being used dev ops and it was 137 00:05:06,400 --> 00:05:08,560 just this idea of we can make software 138 00:05:08,560 --> 00:05:11,039 delivery so much faster if we just break 139 00:05:11,039 --> 00:05:13,759 down all these barriers 140 00:05:13,759 --> 00:05:15,759 but who's missing from this conversation 141 00:05:15,759 --> 00:05:16,960 you see 142 00:05:16,960 --> 00:05:19,039 this was 2009 and we started having 143 00:05:19,039 --> 00:05:21,280 conferences about this 144 00:05:21,280 --> 00:05:23,840 it wasn't until 2012 that security 145 00:05:23,840 --> 00:05:25,440 started to realize like okay this is a 146 00:05:25,440 --> 00:05:27,039 real movement we got to do something 147 00:05:27,039 --> 00:05:28,080 about 148 00:05:28,080 --> 00:05:29,919 organizations were starting to adopt it 149 00:05:29,919 --> 00:05:32,639 amazon was doing millions of deployments 150 00:05:32,639 --> 00:05:34,720 you know every year 151 00:05:34,720 --> 00:05:37,039 everybody was jumping on this idea of a 152 00:05:37,039 --> 00:05:39,120 devops bandwagon 153 00:05:39,120 --> 00:05:42,560 so two gentlemen josh corman and gene 154 00:05:42,560 --> 00:05:46,000 kim in 2012 gave what is kind of their 155 00:05:46,000 --> 00:05:48,800 now pretty infamous talk security is 156 00:05:48,800 --> 00:05:51,600 dead long live rugged dev ops and the 157 00:05:51,600 --> 00:05:54,000 whole idea was if we're going to do this 158 00:05:54,000 --> 00:05:56,000 devops thing and we're going to be super 159 00:05:56,000 --> 00:05:58,160 fast and i know they cited that like i 160 00:05:58,160 --> 00:06:00,479 think at that point amazon was averaging 161 00:06:00,479 --> 00:06:03,039 deployments every 11 seconds in their 162 00:06:03,039 --> 00:06:04,639 devops pipeline 163 00:06:04,639 --> 00:06:06,000 these guys are like look if we're going 164 00:06:06,000 --> 00:06:07,120 to do this we got to think about 165 00:06:07,120 --> 00:06:10,240 security all differently so we are going 166 00:06:10,240 --> 00:06:12,400 to jump in and they talked about this 167 00:06:12,400 --> 00:06:15,360 idea of rugged devops where software 168 00:06:15,360 --> 00:06:17,039 didn't just get built secure but it had 169 00:06:17,039 --> 00:06:19,680 to be built ruggedly and you can go find 170 00:06:19,680 --> 00:06:22,960 that talk it's definitely still online i 171 00:06:22,960 --> 00:06:26,160 encourage you to check it out sometime 172 00:06:26,160 --> 00:06:27,039 but 173 00:06:27,039 --> 00:06:30,000 we're now in the year 2021 174 00:06:30,000 --> 00:06:32,639 and we still as security people seem to 175 00:06:32,639 --> 00:06:34,800 struggle with this and some of the 176 00:06:34,800 --> 00:06:38,000 conversation begins with just who is 177 00:06:38,000 --> 00:06:40,800 ultimately responsible for security 178 00:06:40,800 --> 00:06:42,960 so prior to my current role i worked for 179 00:06:42,960 --> 00:06:45,840 a company called sneak and last year we 180 00:06:45,840 --> 00:06:48,880 did our state of open source security 181 00:06:48,880 --> 00:06:51,680 report we talked about i went into a lot 182 00:06:51,680 --> 00:06:53,360 of research on a lot of different topics 183 00:06:53,360 --> 00:06:55,199 but one of the things we did was we we 184 00:06:55,199 --> 00:06:57,919 had a survey and we surveyed literally 185 00:06:57,919 --> 00:07:01,520 thousands of people about you know how 186 00:07:01,520 --> 00:07:02,720 security 187 00:07:02,720 --> 00:07:04,720 open source devsecops how all that 188 00:07:04,720 --> 00:07:06,720 looked in their organization so one of 189 00:07:06,720 --> 00:07:08,560 the questions i asked and it was a 190 00:07:08,560 --> 00:07:09,919 follow-up to what we had asked in the 191 00:07:09,919 --> 00:07:11,360 previous year was 192 00:07:11,360 --> 00:07:13,919 who's responsible for the security of 193 00:07:13,919 --> 00:07:16,240 your software and your infrastructure 194 00:07:16,240 --> 00:07:18,080 and what you see here is kind of some 195 00:07:18,080 --> 00:07:19,840 interesting results 196 00:07:19,840 --> 00:07:22,560 now they could answer that question with 197 00:07:22,560 --> 00:07:24,160 multiple answers so they could choose 198 00:07:24,160 --> 00:07:26,240 all three they could have chosen all 199 00:07:26,240 --> 00:07:27,759 four which are all five which have been 200 00:07:27,759 --> 00:07:29,360 a little weird but 201 00:07:29,360 --> 00:07:32,479 you see here that like 85 said devs are 202 00:07:32,479 --> 00:07:33,840 responsible for the security of the 203 00:07:33,840 --> 00:07:36,160 software but only 55 204 00:07:36,160 --> 00:07:37,759 thought security was involved in that 205 00:07:37,759 --> 00:07:40,960 and only 35 thought operations 206 00:07:40,960 --> 00:07:42,240 when it came to infrastructure it 207 00:07:42,240 --> 00:07:43,919 leveled off a lot more you can see the 208 00:07:43,919 --> 00:07:46,479 impacts that infrastructure has code and 209 00:07:46,479 --> 00:07:48,080 cloud native technologies are having 210 00:07:48,080 --> 00:07:50,479 here because now suddenly devs aren't as 211 00:07:50,479 --> 00:07:53,039 responsible operations predictably came 212 00:07:53,039 --> 00:07:54,879 up quite a bit and security still sat 213 00:07:54,879 --> 00:07:56,400 there only half of them thought security 214 00:07:56,400 --> 00:07:57,759 played a part in securing the 215 00:07:57,759 --> 00:07:59,280 infrastructure 216 00:07:59,280 --> 00:08:00,720 so these are really interesting 217 00:08:00,720 --> 00:08:02,319 attitudes that we're seeing and it makes 218 00:08:02,319 --> 00:08:04,879 it really complex when we want to bring 219 00:08:04,879 --> 00:08:07,680 security to the dev ops discussion 220 00:08:07,680 --> 00:08:10,720 because no one really wants to say who's 221 00:08:10,720 --> 00:08:13,680 responsible for security 222 00:08:13,680 --> 00:08:16,080 but that's not the only problem 223 00:08:16,080 --> 00:08:19,120 devops has created a whole 224 00:08:19,120 --> 00:08:21,759 gamut of new technologies and new 225 00:08:21,759 --> 00:08:24,080 approaches to things that we didn't have 226 00:08:24,080 --> 00:08:26,000 back when i was a software developer 16 227 00:08:26,000 --> 00:08:27,360 years ago 228 00:08:27,360 --> 00:08:29,360 and so there's a lot of issues and a lot 229 00:08:29,360 --> 00:08:31,599 of them start with just knowing what's 230 00:08:31,599 --> 00:08:33,279 in your software 231 00:08:33,279 --> 00:08:35,839 modern day development is more complex 232 00:08:35,839 --> 00:08:38,719 than it's ever been before because we've 233 00:08:38,719 --> 00:08:40,399 added all these things to ultimately 234 00:08:40,399 --> 00:08:42,399 make it faster i know that seems odd 235 00:08:42,399 --> 00:08:44,399 more complex development means faster 236 00:08:44,399 --> 00:08:45,600 development 237 00:08:45,600 --> 00:08:47,920 alyssa you've lost your mind 238 00:08:47,920 --> 00:08:49,839 i promise you it does actually make 239 00:08:49,839 --> 00:08:51,600 sense but we've created a lot of 240 00:08:51,600 --> 00:08:53,519 technologies and you know maybe you're 241 00:08:53,519 --> 00:08:54,560 familiar 242 00:08:54,560 --> 00:08:57,040 with the this question here what is in 243 00:08:57,040 --> 00:08:59,519 your software think about if you 244 00:08:59,519 --> 00:09:00,720 remember that 245 00:09:00,720 --> 00:09:03,440 breach in 2017 equifax 246 00:09:03,440 --> 00:09:05,519 where apparently and we'll never really 247 00:09:05,519 --> 00:09:07,120 know for sure but apparently they had 248 00:09:07,120 --> 00:09:09,519 some open source struts libraries that 249 00:09:09,519 --> 00:09:11,600 had known vulnerabilities they didn't 250 00:09:11,600 --> 00:09:13,200 know that they were there and they got 251 00:09:13,200 --> 00:09:14,880 compromised 252 00:09:14,880 --> 00:09:16,640 this is the challenge we have now where 253 00:09:16,640 --> 00:09:18,480 does it come from 254 00:09:18,480 --> 00:09:21,200 well it's how we write our code so back 255 00:09:21,200 --> 00:09:23,680 in my day god do i sound old when i say 256 00:09:23,680 --> 00:09:24,720 that 257 00:09:24,720 --> 00:09:26,399 back when i was a software developer 258 00:09:26,399 --> 00:09:27,920 that sounds a little better 259 00:09:27,920 --> 00:09:30,240 um you know if you had an application 260 00:09:30,240 --> 00:09:33,200 that was 100 000 lines of code it meant 261 00:09:33,200 --> 00:09:35,120 that developers in your organization 262 00:09:35,120 --> 00:09:38,480 wrote 100 000 lines of code 263 00:09:38,480 --> 00:09:40,800 but it's not that way anymore 264 00:09:40,800 --> 00:09:42,959 you see the open source community cloud 265 00:09:42,959 --> 00:09:45,519 native have all become involved in our 266 00:09:45,519 --> 00:09:47,040 development in an effort to make things 267 00:09:47,040 --> 00:09:51,600 faster as we've got devops developers 268 00:09:51,600 --> 00:09:53,279 working to quickly 269 00:09:53,279 --> 00:09:54,880 construct code and deploy it we've 270 00:09:54,880 --> 00:09:56,399 created this open source community that 271 00:09:56,399 --> 00:09:59,040 is wonderful and it means that i don't 272 00:09:59,040 --> 00:10:01,600 have to write a 100 000 lines of code 273 00:10:01,600 --> 00:10:03,279 because a lot of the functionality i may 274 00:10:03,279 --> 00:10:05,760 need i go grab from the open source 275 00:10:05,760 --> 00:10:06,800 community 276 00:10:06,800 --> 00:10:08,720 and i just do that in the form of 277 00:10:08,720 --> 00:10:11,200 dependencies that i introduce into my 278 00:10:11,200 --> 00:10:12,880 software 279 00:10:12,880 --> 00:10:15,040 so here's a great example there's a java 280 00:10:15,040 --> 00:10:17,040 application all right and this is the 281 00:10:17,040 --> 00:10:18,720 you're seeing the manifest here now this 282 00:10:18,720 --> 00:10:20,959 java application is only 280 lines of 283 00:10:20,959 --> 00:10:23,200 code that this developer wrote 284 00:10:23,200 --> 00:10:25,600 great okay super simple app right seems 285 00:10:25,600 --> 00:10:27,440 really simple 286 00:10:27,440 --> 00:10:28,560 yeah but they introduce eight 287 00:10:28,560 --> 00:10:30,839 dependencies through the manifest 288 00:10:30,839 --> 00:10:32,480 okay 289 00:10:32,480 --> 00:10:34,800 so i've got eight packages of software 290 00:10:34,800 --> 00:10:36,880 that i'm going to go pull from the open 291 00:10:36,880 --> 00:10:38,399 source community 292 00:10:38,399 --> 00:10:40,399 that are going to now be a part of my 293 00:10:40,399 --> 00:10:42,640 software all right not the end of the 294 00:10:42,640 --> 00:10:43,760 world 295 00:10:43,760 --> 00:10:45,519 the only problem is 296 00:10:45,519 --> 00:10:48,399 each of those dependencies each package 297 00:10:48,399 --> 00:10:50,240 that i introduced has its own 298 00:10:50,240 --> 00:10:52,800 dependencies 89 subdependencies and 299 00:10:52,800 --> 00:10:55,040 suddenly my 280 lines of code has turned 300 00:10:55,040 --> 00:10:56,800 into 2.4 301 00:10:56,800 --> 00:10:58,880 million lines of code that i'm 302 00:10:58,880 --> 00:11:01,279 responsible for as a developer that i'm 303 00:11:01,279 --> 00:11:04,079 responsible for as a security 304 00:11:04,079 --> 00:11:05,760 practitioner trying to secure my 305 00:11:05,760 --> 00:11:08,320 applications do you see the problem now 306 00:11:08,320 --> 00:11:10,480 this is the challenge that devops has 307 00:11:10,480 --> 00:11:12,320 brought to us from just a software 308 00:11:12,320 --> 00:11:14,000 development perspective where we've 309 00:11:14,000 --> 00:11:15,760 gotten faster and faster and faster 310 00:11:15,760 --> 00:11:17,600 we've introduced this idea of 311 00:11:17,600 --> 00:11:19,680 dependencies and if you're if you're a 312 00:11:19,680 --> 00:11:21,360 node.js developer in particular if 313 00:11:21,360 --> 00:11:23,120 you're working with npm you know the 314 00:11:23,120 --> 00:11:24,720 story you go and you open up your 315 00:11:24,720 --> 00:11:26,480 project you go get some coffee while you 316 00:11:26,480 --> 00:11:28,000 wait for npm to reload all your 317 00:11:28,000 --> 00:11:29,360 dependencies 318 00:11:29,360 --> 00:11:30,720 that's what software development's like 319 00:11:30,720 --> 00:11:32,560 these days but it's not just software 320 00:11:32,560 --> 00:11:35,040 developers what about our ops teams i 321 00:11:35,040 --> 00:11:36,800 love this quote from kelsey hightower is 322 00:11:36,800 --> 00:11:38,959 a great tweet he put out a while back 323 00:11:38,959 --> 00:11:40,800 i've latched onto it i'm never letting 324 00:11:40,800 --> 00:11:42,800 it go he says so you want to roll your 325 00:11:42,800 --> 00:11:44,880 own application platform well great all 326 00:11:44,880 --> 00:11:47,279 you need to know is you need to know 327 00:11:47,279 --> 00:11:50,399 linux and docker and kubernetes and 328 00:11:50,399 --> 00:11:52,800 istio and prometheus and fluentd and 329 00:11:52,800 --> 00:11:55,440 grafana and jaeger and harbor and oh my 330 00:11:55,440 --> 00:11:56,399 god 331 00:11:56,399 --> 00:11:58,160 are you kidding me 332 00:11:58,160 --> 00:11:59,839 this is what we expect our ops teams to 333 00:11:59,839 --> 00:12:01,680 be able to deal with 334 00:12:01,680 --> 00:12:04,399 this is cloud native world hey great 335 00:12:04,399 --> 00:12:06,240 devops cloud native we're going full 336 00:12:06,240 --> 00:12:08,079 bore straight ahead 337 00:12:08,079 --> 00:12:09,920 oh we've got our ops and our devs teams 338 00:12:09,920 --> 00:12:11,519 working together they're really excited 339 00:12:11,519 --> 00:12:13,519 they you know but oh my god look at what 340 00:12:13,519 --> 00:12:15,760 we're asking of them when we talk cloud 341 00:12:15,760 --> 00:12:17,839 native have you seen this yet this is 342 00:12:17,839 --> 00:12:20,480 the cloud native uh computing 343 00:12:20,480 --> 00:12:22,839 foundation's uh cloud native 344 00:12:22,839 --> 00:12:24,399 landscape 345 00:12:24,399 --> 00:12:26,079 now this is actually a few months old so 346 00:12:26,079 --> 00:12:29,120 it's probably even worse than this now 347 00:12:29,120 --> 00:12:31,760 these are all the technologies that go 348 00:12:31,760 --> 00:12:36,320 into building a cloud native environment 349 00:12:36,320 --> 00:12:38,959 holy crap 350 00:12:38,959 --> 00:12:40,639 i've made this as big as i can and you 351 00:12:40,639 --> 00:12:42,160 can't even read the names on most of 352 00:12:42,160 --> 00:12:43,760 these you might recognize some of the 353 00:12:43,760 --> 00:12:45,360 logos 354 00:12:45,360 --> 00:12:47,200 these are all the things that our devs 355 00:12:47,200 --> 00:12:49,920 and our ops teams need to be experts in 356 00:12:49,920 --> 00:12:51,360 they need to understand how to configure 357 00:12:51,360 --> 00:12:52,399 all these and so when we say that 358 00:12:52,399 --> 00:12:54,560 they're responsible for security we want 359 00:12:54,560 --> 00:12:56,240 them to be able to secure all these 360 00:12:56,240 --> 00:12:58,560 things how in the heck are they going to 361 00:12:58,560 --> 00:13:00,399 do that 362 00:13:00,399 --> 00:13:03,200 it's just not feasible so okay great 363 00:13:03,200 --> 00:13:04,720 that's why we have security teams right 364 00:13:04,720 --> 00:13:06,079 security to the rescue we're going to 365 00:13:06,079 --> 00:13:08,079 hop in because security is going to come 366 00:13:08,079 --> 00:13:09,440 in and we're going to do that appsec 367 00:13:09,440 --> 00:13:10,320 thing 368 00:13:10,320 --> 00:13:12,480 sure we'll get to that appsec thing 369 00:13:12,480 --> 00:13:13,839 right after we're done worrying about 370 00:13:13,839 --> 00:13:16,480 perimeter security and network security 371 00:13:16,480 --> 00:13:18,160 yeah well by the way endpoint security 372 00:13:18,160 --> 00:13:19,040 because you got to worry about all those 373 00:13:19,040 --> 00:13:20,959 people who got laptops and desktops on 374 00:13:20,959 --> 00:13:22,720 our network 375 00:13:22,720 --> 00:13:24,399 we got to think about policy management 376 00:13:24,399 --> 00:13:25,680 we got to build all the policies that 377 00:13:25,680 --> 00:13:27,200 are going to govern all this we got to 378 00:13:27,200 --> 00:13:29,680 think about operations and then maybe we 379 00:13:29,680 --> 00:13:31,920 can get to application security but 380 00:13:31,920 --> 00:13:33,680 application security also of course 381 00:13:33,680 --> 00:13:36,560 brings with it data security are you 382 00:13:36,560 --> 00:13:38,079 exhausted yet listening to me because 383 00:13:38,079 --> 00:13:40,399 i'm exhausted talking about this 384 00:13:40,399 --> 00:13:43,040 this is crazy stuff this is everything 385 00:13:43,040 --> 00:13:45,040 that falls under our security umbrella 386 00:13:45,040 --> 00:13:46,800 and if you work in security or you've 387 00:13:46,800 --> 00:13:48,560 talked to anybody in security you know 388 00:13:48,560 --> 00:13:50,399 that we all have unlimited budgets to do 389 00:13:50,399 --> 00:13:53,040 all this right 390 00:13:53,120 --> 00:13:56,240 no we don't 391 00:13:57,440 --> 00:13:58,959 we have limited resources we have 392 00:13:58,959 --> 00:14:00,560 limited budgets just the same as 393 00:14:00,560 --> 00:14:02,720 everybody else so trying to 394 00:14:02,720 --> 00:14:05,040 manage all of this is so complex for the 395 00:14:05,040 --> 00:14:07,519 security team but that's okay i have an 396 00:14:07,519 --> 00:14:09,760 answer we have tools lots and lots of 397 00:14:09,760 --> 00:14:12,000 tools all the security products are 398 00:14:12,000 --> 00:14:13,920 gonna make us better they're gonna help 399 00:14:13,920 --> 00:14:15,839 secure us god this looks just like that 400 00:14:15,839 --> 00:14:17,279 cloud native 401 00:14:17,279 --> 00:14:19,760 doesn't it it's the same thing 402 00:14:19,760 --> 00:14:21,440 lots and lots of technologies that we 403 00:14:21,440 --> 00:14:23,360 have to understand we got to understand 404 00:14:23,360 --> 00:14:24,800 infrastructure security endpoint 405 00:14:24,800 --> 00:14:26,560 security application security messaging 406 00:14:26,560 --> 00:14:28,320 security web security security 407 00:14:28,320 --> 00:14:29,839 operations and is in response risking 408 00:14:29,839 --> 00:14:31,279 compliance threat intelligence mobile 409 00:14:31,279 --> 00:14:33,920 security oh god i'm stopping i'm losing 410 00:14:33,920 --> 00:14:35,600 my breath 411 00:14:35,600 --> 00:14:37,680 what are we doing here 412 00:14:37,680 --> 00:14:40,000 nobody can know all these things right 413 00:14:40,000 --> 00:14:41,839 so if we're saying that you have to have 414 00:14:41,839 --> 00:14:43,920 all of these tools to make your software 415 00:14:43,920 --> 00:14:45,279 more secure and to defend your 416 00:14:45,279 --> 00:14:46,880 environments 417 00:14:46,880 --> 00:14:48,880 is it any wonder we're still seeing more 418 00:14:48,880 --> 00:14:52,880 and more breaches every single year 419 00:14:52,880 --> 00:14:53,680 no 420 00:14:53,680 --> 00:14:55,440 it's not 421 00:14:55,440 --> 00:14:57,680 and we in security are responsible for 422 00:14:57,680 --> 00:15:00,480 many of the problems that we have 423 00:15:00,480 --> 00:15:02,000 now when it comes to application 424 00:15:02,000 --> 00:15:03,360 security and specifically when i'm 425 00:15:03,360 --> 00:15:05,920 talking devops and how do we bring the 426 00:15:05,920 --> 00:15:09,600 security conversation to devops 427 00:15:09,600 --> 00:15:13,360 i have been to easily 428 00:15:13,360 --> 00:15:15,440 20 or more talks 429 00:15:15,440 --> 00:15:17,440 at various conferences over the last 430 00:15:17,440 --> 00:15:19,279 three years 431 00:15:19,279 --> 00:15:21,360 talking about devsecops 432 00:15:21,360 --> 00:15:23,760 now remember devsecops 433 00:15:23,760 --> 00:15:25,839 we started talking about this in 2012 434 00:15:25,839 --> 00:15:29,519 josh corman gene kim thank you guys 435 00:15:30,720 --> 00:15:32,959 i'm still hearing talks 20 of them in 436 00:15:32,959 --> 00:15:35,440 three years that i went to 437 00:15:35,440 --> 00:15:38,079 and what i noticed is none of them seem 438 00:15:38,079 --> 00:15:41,360 to in my opinion at least get it 439 00:15:41,360 --> 00:15:43,040 and so i started really sitting down and 440 00:15:43,040 --> 00:15:44,880 listening i went back through a lot of 441 00:15:44,880 --> 00:15:46,720 these talks that i had heard and i went 442 00:15:46,720 --> 00:15:48,240 out and i looked up some others i could 443 00:15:48,240 --> 00:15:49,920 find online 444 00:15:49,920 --> 00:15:51,759 and i wanted to see what's the message 445 00:15:51,759 --> 00:15:53,519 here what aren't we doing from a 446 00:15:53,519 --> 00:15:55,440 security perspective is it the message 447 00:15:55,440 --> 00:15:56,880 that's wrong or are we just not 448 00:15:56,880 --> 00:15:58,320 implementing it 449 00:15:58,320 --> 00:16:00,160 and what i found was there's a lot of 450 00:16:00,160 --> 00:16:03,519 myths that we perpetrate as security 451 00:16:03,519 --> 00:16:06,880 practitioners when it comes to devsecops 452 00:16:06,880 --> 00:16:08,480 things that we say you gotta do things 453 00:16:08,480 --> 00:16:10,480 that we say are absolutely necessary 454 00:16:10,480 --> 00:16:12,639 attitudes that we have ways that we 455 00:16:12,639 --> 00:16:15,440 approach this that are just plain dead 456 00:16:15,440 --> 00:16:16,959 wrong 457 00:16:16,959 --> 00:16:18,480 you almost got me to drop enough bomb 458 00:16:18,480 --> 00:16:20,160 there but i caught myself 459 00:16:20,160 --> 00:16:21,839 gonna be good today i know it's circle 460 00:16:21,839 --> 00:16:24,240 citycon but i still must behave 461 00:16:24,240 --> 00:16:25,199 so 462 00:16:25,199 --> 00:16:26,800 what i'm gonna talk to you about today 463 00:16:26,800 --> 00:16:29,040 what we're diving into next i'm gonna 464 00:16:29,040 --> 00:16:31,279 talk to you about five of the myths 465 00:16:31,279 --> 00:16:34,160 five themes that i saw in these talks or 466 00:16:34,160 --> 00:16:35,920 that i've heard from security 467 00:16:35,920 --> 00:16:37,600 practitioners even within my own 468 00:16:37,600 --> 00:16:40,399 organizations 469 00:16:40,399 --> 00:16:42,079 things that i've heard 470 00:16:42,079 --> 00:16:43,600 as a consultant 471 00:16:43,600 --> 00:16:44,959 that companies were talking about that 472 00:16:44,959 --> 00:16:46,000 they thought they had to do to make 473 00:16:46,000 --> 00:16:49,120 devsecops work this is where i want to 474 00:16:49,120 --> 00:16:51,440 start to break down these myths 475 00:16:51,440 --> 00:16:53,600 it starts with you today 476 00:16:53,600 --> 00:16:55,279 we're going to start to do devsecops 477 00:16:55,279 --> 00:16:57,279 better and it starts now 478 00:16:57,279 --> 00:16:59,680 myth number one 479 00:16:59,680 --> 00:17:02,399 tool automation is how you achieve 480 00:17:02,399 --> 00:17:05,359 devsec ups 481 00:17:05,359 --> 00:17:07,520 how many times have you heard it 482 00:17:07,520 --> 00:17:09,039 oh devps like ops we're moving really 483 00:17:09,039 --> 00:17:11,199 fast companies like amazon are deploying 484 00:17:11,199 --> 00:17:12,959 every 11 seconds this means we need to 485 00:17:12,959 --> 00:17:14,880 get all the security tools and they must 486 00:17:14,880 --> 00:17:17,119 all integrate and be automated in our 487 00:17:17,119 --> 00:17:18,640 pipeline and that's how we're going to 488 00:17:18,640 --> 00:17:21,760 make devsecops happen 489 00:17:22,559 --> 00:17:23,679 is that what 490 00:17:23,679 --> 00:17:25,280 devops was 491 00:17:25,280 --> 00:17:27,599 think back a minute what did i tell you 492 00:17:27,599 --> 00:17:28,559 that 493 00:17:28,559 --> 00:17:31,600 you know as those guys back in 2008 2009 494 00:17:31,600 --> 00:17:34,400 2012 are putting this together 495 00:17:34,400 --> 00:17:36,880 were they talking tools 496 00:17:36,880 --> 00:17:39,039 no 497 00:17:39,840 --> 00:17:41,679 patrick dubois andrew schafer when they 498 00:17:41,679 --> 00:17:43,120 got together it wasn't about how do we 499 00:17:43,120 --> 00:17:44,960 get better tools it was how do we get 500 00:17:44,960 --> 00:17:47,440 groups of people working together 501 00:17:47,440 --> 00:17:50,000 ultimately what they wanted was a 502 00:17:50,000 --> 00:17:52,400 culture oh there's an evil term we hate 503 00:17:52,400 --> 00:17:54,080 when we talk about culture yeah yeah 504 00:17:54,080 --> 00:17:55,760 because it's hard to do 505 00:17:55,760 --> 00:17:58,320 culture's tough how do i desi how do i 506 00:17:58,320 --> 00:18:01,200 build a culture that's hard 507 00:18:01,200 --> 00:18:02,960 but that's the reality when we're 508 00:18:02,960 --> 00:18:05,520 talking devops or more importantly now 509 00:18:05,520 --> 00:18:07,840 devsecops we are talking about building 510 00:18:07,840 --> 00:18:09,760 a culture that means we cannot focus on 511 00:18:09,760 --> 00:18:11,679 tools and yet that's what we what we 512 00:18:11,679 --> 00:18:13,840 always do 513 00:18:13,840 --> 00:18:16,320 proof i went out i went to google and i 514 00:18:16,320 --> 00:18:18,880 checked search stats 515 00:18:18,880 --> 00:18:21,840 in searches that included the term 516 00:18:21,840 --> 00:18:24,840 devsecops 517 00:18:26,400 --> 00:18:29,840 what did i find number one was devsecops 518 00:18:29,840 --> 00:18:31,440 just that was the search number two i 519 00:18:31,440 --> 00:18:34,240 think was devsecops um 520 00:18:34,240 --> 00:18:35,600 and then i i only remember what the 521 00:18:35,600 --> 00:18:37,039 other word but it was 522 00:18:37,039 --> 00:18:38,880 not inconsequential 523 00:18:38,880 --> 00:18:41,200 number three was tools so defcycops 524 00:18:41,200 --> 00:18:44,320 tools was the number three most searched 525 00:18:44,320 --> 00:18:46,880 term including devseconds 526 00:18:46,880 --> 00:18:49,120 devsecops practices 527 00:18:49,120 --> 00:18:51,360 didn't show up until number nine 528 00:18:51,360 --> 00:18:55,360 methodology was 12 it was 10 excuse me 529 00:18:55,360 --> 00:18:57,600 so now we're at the bottom of that first 530 00:18:57,600 --> 00:19:01,120 page of results from google thank you 531 00:19:01,120 --> 00:19:04,080 devstuck ops roles the people side of 532 00:19:04,080 --> 00:19:07,520 this was number 12 and devsecops culture 533 00:19:07,520 --> 00:19:09,760 didn't show up until number 14. so we're 534 00:19:09,760 --> 00:19:12,080 halfway through the second page of 535 00:19:12,080 --> 00:19:14,639 results 536 00:19:15,919 --> 00:19:18,000 think about this if i want to build a 537 00:19:18,000 --> 00:19:19,760 culture it's not just about tools and 538 00:19:19,760 --> 00:19:21,600 technology it's about the people it's 539 00:19:21,600 --> 00:19:24,720 about the processes and that evil g word 540 00:19:24,720 --> 00:19:27,120 governance oh everybody hates governance 541 00:19:27,120 --> 00:19:28,720 because governance is you yuck it's 542 00:19:28,720 --> 00:19:29,679 policy 543 00:19:29,679 --> 00:19:32,240 it's audits it's all this yucky stuff 544 00:19:32,240 --> 00:19:34,000 how are you going to build a meaningful 545 00:19:34,000 --> 00:19:35,440 culture and know if it's working if you 546 00:19:35,440 --> 00:19:37,360 don't have governance if you're not 547 00:19:37,360 --> 00:19:39,360 monitoring your metrics seeing what 548 00:19:39,360 --> 00:19:40,480 works 549 00:19:40,480 --> 00:19:42,799 you know i i told i referenced this stat 550 00:19:42,799 --> 00:19:44,480 over and over again already from gene 551 00:19:44,480 --> 00:19:46,720 and josh's 552 00:19:46,720 --> 00:19:48,799 talk about amazon deploying every 11 553 00:19:48,799 --> 00:19:51,520 seconds how does amazon know that 554 00:19:51,520 --> 00:19:53,360 because they have meaningful metrics and 555 00:19:53,360 --> 00:19:55,360 they have governance that says 556 00:19:55,360 --> 00:19:56,559 we're going to make sure that people are 557 00:19:56,559 --> 00:19:58,880 following what we're what our processes 558 00:19:58,880 --> 00:20:00,320 are they're following our standards 559 00:20:00,320 --> 00:20:01,679 they're doing the things they're using 560 00:20:01,679 --> 00:20:03,679 the tooling and we're going to make sure 561 00:20:03,679 --> 00:20:05,280 we know what's working and what isn't so 562 00:20:05,280 --> 00:20:07,280 we can continue to get better that's how 563 00:20:07,280 --> 00:20:09,039 you build a culture 564 00:20:09,039 --> 00:20:12,400 now why is this culture so important 565 00:20:12,400 --> 00:20:14,080 the motion of today's devsig ops 566 00:20:14,080 --> 00:20:17,039 pipeline is very conflicting 567 00:20:17,039 --> 00:20:18,559 with this 568 00:20:18,559 --> 00:20:20,400 new world in particular of cloud native 569 00:20:20,400 --> 00:20:21,760 which always seems to come along with 570 00:20:21,760 --> 00:20:24,159 the devsecops discussion we've got these 571 00:20:24,159 --> 00:20:26,480 conflicting motions we've got security 572 00:20:26,480 --> 00:20:28,960 who's trying to push left god love us as 573 00:20:28,960 --> 00:20:30,720 long as i've been in security we have 574 00:20:30,720 --> 00:20:35,760 been talking about the need to push left 575 00:20:35,760 --> 00:20:37,520 16 years 576 00:20:37,520 --> 00:20:39,280 in fact we were talking about it when i 577 00:20:39,280 --> 00:20:41,200 was a developer we were talking about 578 00:20:41,200 --> 00:20:42,640 pushing left not just in terms of 579 00:20:42,640 --> 00:20:44,799 security but also our testing we wanted 580 00:20:44,799 --> 00:20:47,200 qa to push left how do we do this 581 00:20:47,200 --> 00:20:49,600 testing sooner 582 00:20:49,600 --> 00:20:51,919 but now we've introduced cloud native 583 00:20:51,919 --> 00:20:53,760 and the influence of developers is 584 00:20:53,760 --> 00:20:56,159 pushing further to the right 585 00:20:56,159 --> 00:20:58,400 developers now through things like 586 00:20:58,400 --> 00:21:01,200 infrastructure as code are divided 587 00:21:01,200 --> 00:21:03,520 excuse me defining the very 588 00:21:03,520 --> 00:21:05,039 infrastructure on which they're going to 589 00:21:05,039 --> 00:21:08,480 deploy their software 590 00:21:08,480 --> 00:21:10,240 so their influence moves farther and 591 00:21:10,240 --> 00:21:12,640 farther right into the pipeline 592 00:21:12,640 --> 00:21:14,720 but then you've got ops ops is having to 593 00:21:14,720 --> 00:21:17,600 push up the stack right because ops can 594 00:21:17,600 --> 00:21:19,200 no longer worry about just bare metal 595 00:21:19,200 --> 00:21:21,200 servers and operating systems they need 596 00:21:21,200 --> 00:21:23,760 to understand things like kubernetes and 597 00:21:23,760 --> 00:21:25,120 the database 598 00:21:25,120 --> 00:21:28,240 layer and they need to be a part of 599 00:21:28,240 --> 00:21:30,320 creating containers all this is defined 600 00:21:30,320 --> 00:21:32,240 in code they're working in things like 601 00:21:32,240 --> 00:21:36,320 terraform but oh my gosh 602 00:21:36,320 --> 00:21:38,799 this isn't just about plugging blades 603 00:21:38,799 --> 00:21:41,120 into into server racks and things like 604 00:21:41,120 --> 00:21:43,440 that this is no we're writing code as 605 00:21:43,440 --> 00:21:45,679 operations folks this is where the sre 606 00:21:45,679 --> 00:21:48,240 role has come from 607 00:21:48,240 --> 00:21:51,840 and then finally pushing down into 608 00:21:51,840 --> 00:21:54,480 granular levels of involvement in the 609 00:21:54,480 --> 00:21:56,799 pipeline is our business 610 00:21:56,799 --> 00:21:58,960 we've got business people writing user 611 00:21:58,960 --> 00:22:00,799 stories they're putting new information 612 00:22:00,799 --> 00:22:02,799 on our backlogs all the time they are 613 00:22:02,799 --> 00:22:05,520 directly defining our sprints many times 614 00:22:05,520 --> 00:22:07,760 they're typically at least involved in 615 00:22:07,760 --> 00:22:09,840 our sprint planning if we do that if 616 00:22:09,840 --> 00:22:12,080 we're true ci cd maybe they don't even 617 00:22:12,080 --> 00:22:14,159 have planning and so they're there as 618 00:22:14,159 --> 00:22:17,120 part of helping prioritize various user 619 00:22:17,120 --> 00:22:18,640 stories 620 00:22:18,640 --> 00:22:20,720 so we have all these conflicting motions 621 00:22:20,720 --> 00:22:23,360 and this is why culture is so important 622 00:22:23,360 --> 00:22:25,679 because having a culture around 623 00:22:25,679 --> 00:22:28,720 devsecops is what's going to allow us to 624 00:22:28,720 --> 00:22:30,960 align these various motions together and 625 00:22:30,960 --> 00:22:33,360 coordinate them and make them happen and 626 00:22:33,360 --> 00:22:36,080 that feeds right into our second myth 627 00:22:36,080 --> 00:22:38,640 the second myth that i always hear when 628 00:22:38,640 --> 00:22:39,520 i go 629 00:22:39,520 --> 00:22:41,039 and talk to security people about 630 00:22:41,039 --> 00:22:43,840 devsecops is that shared responsibility 631 00:22:43,840 --> 00:22:45,600 means 632 00:22:45,600 --> 00:22:48,559 everyone's responsible for security 633 00:22:48,559 --> 00:22:49,760 have you heard this term shared 634 00:22:49,760 --> 00:22:51,760 responsibility before this is talked 635 00:22:51,760 --> 00:22:53,360 about a lot when we talk devops and 636 00:22:53,360 --> 00:22:56,400 devsecops it's this idea that everybody 637 00:22:56,400 --> 00:22:58,320 has a shared responsibility for getting 638 00:22:58,320 --> 00:22:59,919 software out 639 00:22:59,919 --> 00:23:02,159 and that's the key because when i say 640 00:23:02,159 --> 00:23:03,760 shared responsibility means everyone's 641 00:23:03,760 --> 00:23:05,360 responsible for security well what are 642 00:23:05,360 --> 00:23:07,360 my devs in my sres saying 643 00:23:07,360 --> 00:23:10,080 they're asking what the hell about us 644 00:23:10,080 --> 00:23:12,320 what about all those times you told us 645 00:23:12,320 --> 00:23:14,400 security you said you had the answers to 646 00:23:14,400 --> 00:23:16,400 make this right and you're still telling 647 00:23:16,400 --> 00:23:19,360 us we're not secure 648 00:23:21,520 --> 00:23:24,080 devsecops shared responsibility this 649 00:23:24,080 --> 00:23:25,760 this shared responsibility which is at 650 00:23:25,760 --> 00:23:28,400 the core of devsecops culture 651 00:23:28,400 --> 00:23:30,640 is not just about security 652 00:23:30,640 --> 00:23:32,640 how arrogant are we as security 653 00:23:32,640 --> 00:23:34,400 practitioners that we want to go in 654 00:23:34,400 --> 00:23:35,760 there and say it's a shared 655 00:23:35,760 --> 00:23:39,760 responsibility you all must do security 656 00:23:40,880 --> 00:23:43,440 it's not just about security what about 657 00:23:43,440 --> 00:23:46,159 us as security practitioners how do we 658 00:23:46,159 --> 00:23:49,039 take on a shared responsibility now i 659 00:23:49,039 --> 00:23:50,799 promise you this is one of 660 00:23:50,799 --> 00:23:52,640 very few times and it is the only time 661 00:23:52,640 --> 00:23:54,559 in this presentation that you will see a 662 00:23:54,559 --> 00:23:57,440 venn diagram for me i hate these things 663 00:23:57,440 --> 00:23:58,480 but 664 00:23:58,480 --> 00:24:00,559 i had to use it it was the only way that 665 00:24:00,559 --> 00:24:02,080 i could really think of that i could 666 00:24:02,080 --> 00:24:05,840 illustrate this next point 667 00:24:05,919 --> 00:24:08,880 shared responsibility is everybody is 668 00:24:08,880 --> 00:24:11,600 responsible for the pipeline the 669 00:24:11,600 --> 00:24:14,799 deployment of software that means all of 670 00:24:14,799 --> 00:24:17,120 our goals have to align so let's talk 671 00:24:17,120 --> 00:24:18,559 about those goals for a minute you have 672 00:24:18,559 --> 00:24:20,320 developers what are the developers 673 00:24:20,320 --> 00:24:22,400 motivations what are they trying to do 674 00:24:22,400 --> 00:24:25,039 they're trying to deploy fast and 675 00:24:25,039 --> 00:24:27,520 they're trying to minimize works in 676 00:24:27,520 --> 00:24:29,279 progress 677 00:24:29,279 --> 00:24:30,400 if you work in a development 678 00:24:30,400 --> 00:24:31,360 organization maybe you've seen the 679 00:24:31,360 --> 00:24:33,840 kanban boards that that our development 680 00:24:33,840 --> 00:24:35,760 teams use to manage this they know 681 00:24:35,760 --> 00:24:37,039 what's in the backlog they know it's a 682 00:24:37,039 --> 00:24:38,400 work in progress they know what's done 683 00:24:38,400 --> 00:24:40,720 what's been deployed and that work in 684 00:24:40,720 --> 00:24:42,400 progress column is always the one that 685 00:24:42,400 --> 00:24:44,320 we're trying to minimize 686 00:24:44,320 --> 00:24:46,240 we don't want things sitting in work in 687 00:24:46,240 --> 00:24:48,240 progress any longer than we have to the 688 00:24:48,240 --> 00:24:51,039 key to getting to a quick ci cd work 689 00:24:51,039 --> 00:24:53,279 we're continuously deploying new 690 00:24:53,279 --> 00:24:54,480 software 691 00:24:54,480 --> 00:24:56,799 at that 11 seconds mark 692 00:24:56,799 --> 00:25:00,240 it's about reducing work in progress 693 00:25:00,240 --> 00:25:01,840 moving things through the pipeline 694 00:25:01,840 --> 00:25:04,159 quickly 695 00:25:04,159 --> 00:25:06,240 now for ops what they're worried about 696 00:25:06,240 --> 00:25:08,400 is uptime and responsiveness if things 697 00:25:08,400 --> 00:25:10,960 are running slow or servers are down or 698 00:25:10,960 --> 00:25:13,520 containers are failing or are kubernetes 699 00:25:13,520 --> 00:25:16,159 clusters are having problems that's 700 00:25:16,159 --> 00:25:17,600 their world that's what they're worried 701 00:25:17,600 --> 00:25:19,520 about all that infrastructure stuff when 702 00:25:19,520 --> 00:25:21,279 it comes to software they are worried 703 00:25:21,279 --> 00:25:22,240 about 704 00:25:22,240 --> 00:25:24,400 is it available and is it running 705 00:25:24,400 --> 00:25:26,240 efficiently 706 00:25:26,240 --> 00:25:27,919 and then security of course we're 707 00:25:27,919 --> 00:25:29,440 looking to eliminate vulnerabilities and 708 00:25:29,440 --> 00:25:31,360 defend our systems we want to get rid of 709 00:25:31,360 --> 00:25:32,799 the risk we want to make sure we don't 710 00:25:32,799 --> 00:25:36,480 get hacked so we are working on this 711 00:25:36,480 --> 00:25:39,200 but when i talk shared responsibility in 712 00:25:39,200 --> 00:25:42,559 devsecops this is where it happens it's 713 00:25:42,559 --> 00:25:45,840 when those intersect when my security 714 00:25:45,840 --> 00:25:48,799 team understands that security is 715 00:25:48,799 --> 00:25:50,640 responsible for deploying fast and 716 00:25:50,640 --> 00:25:53,919 minimizing works in progress 717 00:25:53,919 --> 00:25:56,720 security is responsible for uptime and 718 00:25:56,720 --> 00:25:59,360 responsiveness 719 00:25:59,360 --> 00:26:01,679 same thing for ops they're responsible 720 00:26:01,679 --> 00:26:03,360 for deploying fast and minimizing works 721 00:26:03,360 --> 00:26:05,120 in progress as well as eliminating 722 00:26:05,120 --> 00:26:08,159 vulnerabilities and defending systems 723 00:26:08,159 --> 00:26:09,840 and our devs understand that they are 724 00:26:09,840 --> 00:26:10,960 responsible for eliminating 725 00:26:10,960 --> 00:26:12,799 vulnerabilities and defending systems 726 00:26:12,799 --> 00:26:15,760 and making sure that their software 727 00:26:15,760 --> 00:26:18,480 is up as often as pos as much as 728 00:26:18,480 --> 00:26:20,880 possible and that it's responsive 729 00:26:20,880 --> 00:26:24,240 everybody has these in their goals that 730 00:26:24,240 --> 00:26:26,480 is the shared responsibility that we're 731 00:26:26,480 --> 00:26:27,679 talking about when we talk about 732 00:26:27,679 --> 00:26:29,200 devsecops 733 00:26:29,200 --> 00:26:31,279 so we need to be building this into our 734 00:26:31,279 --> 00:26:33,600 culture this understanding that 735 00:26:33,600 --> 00:26:35,679 everybody is not only responsible for 736 00:26:35,679 --> 00:26:38,400 security everybody is responsible 737 00:26:38,400 --> 00:26:40,400 for making that pipeline as efficient as 738 00:26:40,400 --> 00:26:43,600 possible and everybody is responsible 739 00:26:43,600 --> 00:26:45,120 for making sure that the software in our 740 00:26:45,120 --> 00:26:47,039 production environments runs as 741 00:26:47,039 --> 00:26:49,200 efficiently as possible and that it is 742 00:26:49,200 --> 00:26:51,600 always available at least to whatever 743 00:26:51,600 --> 00:26:53,760 service level it is that we are shooting 744 00:26:53,760 --> 00:26:55,600 for 745 00:26:55,600 --> 00:26:56,880 that 746 00:26:56,880 --> 00:26:58,880 that's shared responsibility 747 00:26:58,880 --> 00:27:00,559 oh this is sounding fun isn't it but 748 00:27:00,559 --> 00:27:01,679 we're not done yet that's only the 749 00:27:01,679 --> 00:27:03,039 second myth 750 00:27:03,039 --> 00:27:04,400 i got more 751 00:27:04,400 --> 00:27:07,360 we're busting miss left and right 752 00:27:07,360 --> 00:27:10,320 myth number three 753 00:27:11,039 --> 00:27:14,400 build gates into the pipeline to achieve 754 00:27:14,400 --> 00:27:17,919 security and devsec ops 755 00:27:17,919 --> 00:27:19,600 those of you that know me and follow me 756 00:27:19,600 --> 00:27:22,159 on twitter or have talked to me in any 757 00:27:22,159 --> 00:27:23,520 way about software development and 758 00:27:23,520 --> 00:27:25,919 devsecops you know this is probably my 759 00:27:25,919 --> 00:27:28,320 single biggest pet 760 00:27:28,320 --> 00:27:30,159 peeve 761 00:27:30,159 --> 00:27:32,720 the story the narrative that in order to 762 00:27:32,720 --> 00:27:35,200 do devsecops in order to bring security 763 00:27:35,200 --> 00:27:38,159 into devops we need to put gates in the 764 00:27:38,159 --> 00:27:40,960 pipeline where we do the security thing 765 00:27:40,960 --> 00:27:42,880 where we validate the security of the 766 00:27:42,880 --> 00:27:45,360 software 767 00:27:46,240 --> 00:27:47,600 reality is 768 00:27:47,600 --> 00:27:49,520 we've been doing this forever 769 00:27:49,520 --> 00:27:51,360 when i go to these and we haven't 770 00:27:51,360 --> 00:27:53,679 changed right when i go to these talks 771 00:27:53,679 --> 00:27:56,080 this is what people suggest they suggest 772 00:27:56,080 --> 00:27:57,360 that well you know when something moves 773 00:27:57,360 --> 00:27:59,600 from the backlog to the point where to 774 00:27:59,600 --> 00:28:01,679 the coding phase well you need to do 775 00:28:01,679 --> 00:28:04,240 your threat modeling then 776 00:28:04,240 --> 00:28:05,520 and then 777 00:28:05,520 --> 00:28:07,120 when you're ready when that code gets 778 00:28:07,120 --> 00:28:09,279 committed well now we need to do our sas 779 00:28:09,279 --> 00:28:11,039 and das tools and then when we're before 780 00:28:11,039 --> 00:28:13,279 we can deploy after we built and tested 781 00:28:13,279 --> 00:28:15,520 it well now we need to do our das tools 782 00:28:15,520 --> 00:28:17,120 and then after it's deployed we gotta do 783 00:28:17,120 --> 00:28:19,520 penetration testing 784 00:28:19,520 --> 00:28:21,840 this creates friction these create long 785 00:28:21,840 --> 00:28:23,919 feedback loops that slow down our 786 00:28:23,919 --> 00:28:26,159 pipeline more on that in a minute 787 00:28:26,159 --> 00:28:27,840 we need to think in terms of 788 00:28:27,840 --> 00:28:29,520 frictionless enablement when it comes to 789 00:28:29,520 --> 00:28:32,520 devsecops how does security 790 00:28:32,520 --> 00:28:35,919 frictionlessly enable the pipeline to 791 00:28:35,919 --> 00:28:37,760 flow remember security is responsible 792 00:28:37,760 --> 00:28:38,640 for 793 00:28:38,640 --> 00:28:41,120 you know fast deploys and reducing works 794 00:28:41,120 --> 00:28:42,640 in progress that's our responsibility 795 00:28:42,640 --> 00:28:44,399 now so we have to be all about 796 00:28:44,399 --> 00:28:47,039 frictionless enablement 797 00:28:47,039 --> 00:28:50,159 to do that we need to make our security 798 00:28:50,159 --> 00:28:51,919 practices 799 00:28:51,919 --> 00:28:55,360 part of those phases they cannot be 800 00:28:55,360 --> 00:28:57,679 gates in between let's talk a little bit 801 00:28:57,679 --> 00:29:00,000 more about this now when i hear people 802 00:29:00,000 --> 00:29:02,000 talk about gates in the pipeline usually 803 00:29:02,000 --> 00:29:03,520 what they're talking about is breaking 804 00:29:03,520 --> 00:29:05,600 the build you'll hear this discussed a 805 00:29:05,600 --> 00:29:07,200 lot of times in conversations about devs 806 00:29:07,200 --> 00:29:09,760 like ox so how does that work well i've 807 00:29:09,760 --> 00:29:11,760 got developers who are constantly 808 00:29:11,760 --> 00:29:13,520 developing they're writing comm they're 809 00:29:13,520 --> 00:29:14,720 writing their code they're committing 810 00:29:14,720 --> 00:29:15,760 their code they're writing more code 811 00:29:15,760 --> 00:29:17,919 they're committing more code and at some 812 00:29:17,919 --> 00:29:20,000 point that code is going to get promoted 813 00:29:20,000 --> 00:29:22,240 when that code gets promoted it gets 814 00:29:22,240 --> 00:29:24,240 built and when that code gets built it 815 00:29:24,240 --> 00:29:26,720 gets tested and this is all automated as 816 00:29:26,720 --> 00:29:29,279 well right this is where the ci portion 817 00:29:29,279 --> 00:29:31,679 of our pipeline starts that continuous 818 00:29:31,679 --> 00:29:34,080 integration and then from there it's 819 00:29:34,080 --> 00:29:35,520 going to reach a point our testing is 820 00:29:35,520 --> 00:29:37,679 done and the last piece is then now 821 00:29:37,679 --> 00:29:39,039 we're ready to move to release we're 822 00:29:39,039 --> 00:29:40,640 going to promote again but now we have 823 00:29:40,640 --> 00:29:42,480 to test it again this is where we do our 824 00:29:42,480 --> 00:29:43,919 regression test 825 00:29:43,919 --> 00:29:46,159 and now we package it up and we deploy 826 00:29:46,159 --> 00:29:48,240 it 827 00:29:48,960 --> 00:29:50,640 so where does security fit 828 00:29:50,640 --> 00:29:52,000 we put in gates we want to break the 829 00:29:52,000 --> 00:29:54,880 build so what do we say we say that yes 830 00:29:54,880 --> 00:29:57,279 we test as part of your build so after 831 00:29:57,279 --> 00:29:59,440 your software builds we run our security 832 00:29:59,440 --> 00:30:01,840 tests in an automated fashion maybe it's 833 00:30:01,840 --> 00:30:04,480 source code analysis or sas tools maybe 834 00:30:04,480 --> 00:30:06,880 we do source code or yes source code 835 00:30:06,880 --> 00:30:08,480 analysis or software composition 836 00:30:08,480 --> 00:30:12,240 analysis excuse me sca 837 00:30:12,240 --> 00:30:14,320 and what do we do oh you have too many 838 00:30:14,320 --> 00:30:15,679 vulnerabilities or you have to make 839 00:30:15,679 --> 00:30:17,039 critical or severe or high 840 00:30:17,039 --> 00:30:18,399 vulnerabilities 841 00:30:18,399 --> 00:30:19,600 you have packages that have 842 00:30:19,600 --> 00:30:21,919 vulnerabilities and need to be updated 843 00:30:21,919 --> 00:30:23,120 we're going to push the pipeline 844 00:30:23,120 --> 00:30:24,240 backward and you're going back to 845 00:30:24,240 --> 00:30:25,600 development 846 00:30:25,600 --> 00:30:27,279 what happens when we go to release same 847 00:30:27,279 --> 00:30:29,440 thing we launch testing we test their 848 00:30:29,440 --> 00:30:31,840 packages oh sorry this doesn't match up 849 00:30:31,840 --> 00:30:34,320 to our expectations 850 00:30:34,320 --> 00:30:36,640 we're going to break it we're putting 851 00:30:36,640 --> 00:30:38,320 that gate in that gate stays closed you 852 00:30:38,320 --> 00:30:39,840 can't go to production we're sending you 853 00:30:39,840 --> 00:30:42,080 all the way back to development this 854 00:30:42,080 --> 00:30:45,760 breaks cicd this breaks the whole 855 00:30:45,760 --> 00:30:48,720 concept of devsecops 856 00:30:48,720 --> 00:30:52,000 so how do we get to a true ci cd 857 00:30:52,000 --> 00:30:53,520 well we've got our developers doing what 858 00:30:53,520 --> 00:30:55,200 they do we want them coding and 859 00:30:55,200 --> 00:30:56,799 committing all day that's what we want 860 00:30:56,799 --> 00:30:58,240 them doing constantly coding and 861 00:30:58,240 --> 00:31:00,080 committing putting new code into the 862 00:31:00,080 --> 00:31:03,840 repository keep building up our packages 863 00:31:03,840 --> 00:31:05,600 integration still looks the same we 864 00:31:05,600 --> 00:31:07,679 build and then we test so somewhere in 865 00:31:07,679 --> 00:31:10,000 this process we've got those 866 00:31:10,000 --> 00:31:11,919 you know we're doing various testing 867 00:31:11,919 --> 00:31:13,200 that's great 868 00:31:13,200 --> 00:31:14,720 and then our release 869 00:31:14,720 --> 00:31:16,880 package it up test it and deploy it 870 00:31:16,880 --> 00:31:17,760 great 871 00:31:17,760 --> 00:31:20,559 the key here is 872 00:31:20,559 --> 00:31:22,320 we need to enable these developers 873 00:31:22,320 --> 00:31:23,840 differently 874 00:31:23,840 --> 00:31:25,360 when i talk frictionless enablement i'm 875 00:31:25,360 --> 00:31:26,799 talking about giving the developers the 876 00:31:26,799 --> 00:31:29,519 ability to do 877 00:31:29,519 --> 00:31:31,360 much of the security work before 878 00:31:31,360 --> 00:31:33,519 anything gets built 879 00:31:33,519 --> 00:31:36,080 before it moves into that testing phase 880 00:31:36,080 --> 00:31:38,320 so that when we get to the testing phase 881 00:31:38,320 --> 00:31:40,640 vulnerabilities we're finding 882 00:31:40,640 --> 00:31:42,320 are not so critical that we have to 883 00:31:42,320 --> 00:31:44,880 break a build instead we're moving 884 00:31:44,880 --> 00:31:46,240 toward the point where our 885 00:31:46,240 --> 00:31:48,399 vulnerabilities are 886 00:31:48,399 --> 00:31:49,919 low enough severity that i can just 887 00:31:49,919 --> 00:31:51,360 throw them in the backlog with a high 888 00:31:51,360 --> 00:31:52,880 priority 889 00:31:52,880 --> 00:31:54,559 and they just get addressed in the next 890 00:31:54,559 --> 00:31:55,519 cycle 891 00:31:55,519 --> 00:31:57,919 another key to this is the speed so when 892 00:31:57,919 --> 00:32:01,039 security is focused on making our ci cd 893 00:32:01,039 --> 00:32:04,399 flow quickly on deploying fast i know 894 00:32:04,399 --> 00:32:06,159 that because i'm deploying on average 895 00:32:06,159 --> 00:32:08,880 every 11 seconds 896 00:32:08,880 --> 00:32:10,399 then it's not going to take long for 897 00:32:10,399 --> 00:32:12,960 that p1 security vulnerability i just 898 00:32:12,960 --> 00:32:15,279 got put into the backlog to get fixed so 899 00:32:15,279 --> 00:32:17,919 if that security vulnerability goes 900 00:32:17,919 --> 00:32:19,760 through and is deployed to production i 901 00:32:19,760 --> 00:32:21,519 know very quickly it will be addressed 902 00:32:21,519 --> 00:32:23,600 by our developers because there's a p1 903 00:32:23,600 --> 00:32:25,200 user story out there that's going to get 904 00:32:25,200 --> 00:32:27,279 grabbed next 905 00:32:27,279 --> 00:32:28,559 and i can do the same thing with the 906 00:32:28,559 --> 00:32:31,919 testing that happens pre-deployment 907 00:32:31,919 --> 00:32:34,159 this is our goal this should be our goal 908 00:32:34,159 --> 00:32:36,559 as security practitioners working in 909 00:32:36,559 --> 00:32:38,720 application security when we're working 910 00:32:38,720 --> 00:32:41,440 in devsecops with a ci cd pipeline we 911 00:32:41,440 --> 00:32:43,279 don't want to push that pipeline 912 00:32:43,279 --> 00:32:44,480 backward 913 00:32:44,480 --> 00:32:46,080 we need to keep it flowing and make it 914 00:32:46,080 --> 00:32:47,919 faster and faster because that is what 915 00:32:47,919 --> 00:32:50,240 is going to give us rugged devops we 916 00:32:50,240 --> 00:32:51,760 become rugged 917 00:32:51,760 --> 00:32:52,640 when 918 00:32:52,640 --> 00:32:54,559 those things get fixed quickly and we 919 00:32:54,559 --> 00:32:56,799 continue to improve the software at a 920 00:32:56,799 --> 00:32:59,200 high rate of speed 921 00:32:59,200 --> 00:33:00,799 that's where we need to go as security 922 00:33:00,799 --> 00:33:02,240 practitioners it's not about building 923 00:33:02,240 --> 00:33:05,039 gates and stopping that pipeline 924 00:33:05,039 --> 00:33:06,880 it's about enabling our developers to 925 00:33:06,880 --> 00:33:09,600 move faster to do this quicker and to 926 00:33:09,600 --> 00:33:12,399 understand the security concepts that we 927 00:33:12,399 --> 00:33:14,640 want them to be aware of that we want 928 00:33:14,640 --> 00:33:16,480 them to incorporate into their code and 929 00:33:16,480 --> 00:33:19,120 giving them tools to do it 930 00:33:19,120 --> 00:33:21,120 how many of your developers have sas 931 00:33:21,120 --> 00:33:22,320 tools 932 00:33:22,320 --> 00:33:25,120 sca tools that run within their ids that 933 00:33:25,120 --> 00:33:29,440 run on their repos when they commit code 934 00:33:29,440 --> 00:33:31,039 those packages are there that tooling is 935 00:33:31,039 --> 00:33:33,279 there that's one piece of it training 936 00:33:33,279 --> 00:33:35,760 them giving them that awareness working 937 00:33:35,760 --> 00:33:38,640 with them and enabling them with things 938 00:33:38,640 --> 00:33:41,039 like reference architectures 939 00:33:41,039 --> 00:33:43,039 design standards things that they can 940 00:33:43,039 --> 00:33:44,720 reference back to and quickly address 941 00:33:44,720 --> 00:33:46,720 the security needs of the user story 942 00:33:46,720 --> 00:33:49,440 they're working on 943 00:33:49,519 --> 00:33:53,519 and this brings us to our next myth 944 00:33:53,519 --> 00:33:55,120 myth number four 945 00:33:55,120 --> 00:33:57,600 is that threat modeling is incompatible 946 00:33:57,600 --> 00:33:59,440 with devsecops 947 00:33:59,440 --> 00:34:01,519 i was told this once i was working as a 948 00:34:01,519 --> 00:34:02,799 consultant and i worked with this 949 00:34:02,799 --> 00:34:04,919 organization who had a very well 950 00:34:04,919 --> 00:34:07,919 well-defined threat modeling process 951 00:34:07,919 --> 00:34:09,760 it was great i mean they had spent years 952 00:34:09,760 --> 00:34:11,440 building it they went through it they 953 00:34:11,440 --> 00:34:13,040 had it down to where they could do this 954 00:34:13,040 --> 00:34:15,520 they called it um i don't even remember 955 00:34:15,520 --> 00:34:17,918 it wasn't architecture review but they 956 00:34:17,918 --> 00:34:19,520 it was like security architecture review 957 00:34:19,520 --> 00:34:20,639 or something like that it's not 958 00:34:20,639 --> 00:34:21,918 important but basically it was threat 959 00:34:21,918 --> 00:34:23,760 modeling and they had it down to where 960 00:34:23,760 --> 00:34:25,359 they could do it within a day 961 00:34:25,359 --> 00:34:26,960 they could bring everybody together they 962 00:34:26,960 --> 00:34:28,239 had certain artifacts that had to be 963 00:34:28,239 --> 00:34:30,000 created in advance but everybody got 964 00:34:30,000 --> 00:34:32,079 together in one day and they did this 965 00:34:32,079 --> 00:34:33,119 thing 966 00:34:33,119 --> 00:34:34,719 and i remember coming out of one of 967 00:34:34,719 --> 00:34:36,000 these sessions 968 00:34:36,000 --> 00:34:38,079 and talking to a developer who told me 969 00:34:38,079 --> 00:34:40,879 he was so excited he couldn't wait until 970 00:34:40,879 --> 00:34:42,480 they didn't have to do this anymore 971 00:34:42,480 --> 00:34:44,719 because they were going to a devsecops 972 00:34:44,719 --> 00:34:45,760 model 973 00:34:45,760 --> 00:34:47,280 and you can't do threat modeling if 974 00:34:47,280 --> 00:34:49,440 you're in devsecops 975 00:34:49,440 --> 00:34:50,480 wrong 976 00:34:50,480 --> 00:34:52,239 wrong wrong wrong if you saw my talk 977 00:34:52,239 --> 00:34:54,560 yesterday on threat modeling you know i 978 00:34:54,560 --> 00:34:55,918 hit this and we're about to talk about 979 00:34:55,918 --> 00:34:56,879 it again 980 00:34:56,879 --> 00:34:58,560 i promised you yesterday i would get in 981 00:34:58,560 --> 00:35:00,880 deeper into this discussion so if you 982 00:35:00,880 --> 00:35:02,960 saw that talk you saw this 983 00:35:02,960 --> 00:35:04,560 for those of you that didn't 984 00:35:04,560 --> 00:35:07,760 2019 circle cim puppet released their 985 00:35:07,760 --> 00:35:11,280 state of dev ops report 986 00:35:11,280 --> 00:35:12,960 in that report they analyzed a lot of 987 00:35:12,960 --> 00:35:14,640 different things about devops culture 988 00:35:14,640 --> 00:35:16,640 and so forth but one of the things they 989 00:35:16,640 --> 00:35:19,440 looked at was security practices in the 990 00:35:19,440 --> 00:35:20,720 devops 991 00:35:20,720 --> 00:35:21,920 community 992 00:35:21,920 --> 00:35:23,680 they looked at the frequency with which 993 00:35:23,680 --> 00:35:27,359 we practice certain security tasks 994 00:35:27,359 --> 00:35:29,920 versus the importance or the impact that 995 00:35:29,920 --> 00:35:32,240 they have on the security posture of the 996 00:35:32,240 --> 00:35:34,240 software 997 00:35:34,240 --> 00:35:35,680 and they plotted it out in four 998 00:35:35,680 --> 00:35:37,119 quadrants 999 00:35:37,119 --> 00:35:38,880 this upper left quadrant those things 1000 00:35:38,880 --> 00:35:40,320 that we do a lot 1001 00:35:40,320 --> 00:35:42,160 that 1002 00:35:42,160 --> 00:35:44,720 don't necessarily have the impact we we 1003 00:35:44,720 --> 00:35:47,359 would want on security posture that's 1004 00:35:47,359 --> 00:35:48,720 where we see things and i know it's hard 1005 00:35:48,720 --> 00:35:49,839 to read but you see things like 1006 00:35:49,839 --> 00:35:51,680 penetration testing 1007 00:35:51,680 --> 00:35:54,720 dependency checkers static code analysis 1008 00:35:54,720 --> 00:35:58,520 security requirements 1009 00:35:59,440 --> 00:36:02,160 but it's when we go down here 1010 00:36:02,160 --> 00:36:04,000 to the lower right 1011 00:36:04,000 --> 00:36:06,000 those things that 1012 00:36:06,000 --> 00:36:08,400 we don't do very often they're not as 1013 00:36:08,400 --> 00:36:11,280 well adopted but have significant impact 1014 00:36:11,280 --> 00:36:13,520 we see this one that's circled it says 1015 00:36:13,520 --> 00:36:15,920 security and dev teams 1016 00:36:15,920 --> 00:36:19,839 collaborating on threat models 1017 00:36:19,839 --> 00:36:21,520 this is how important threat modeling is 1018 00:36:21,520 --> 00:36:24,160 threat modeling has such a massive 1019 00:36:24,160 --> 00:36:26,480 impact on the security posture of our 1020 00:36:26,480 --> 00:36:28,240 software and it's one of those things 1021 00:36:28,240 --> 00:36:31,680 that allows us to push further left 1022 00:36:31,680 --> 00:36:33,680 but when i say threat modeling people 1023 00:36:33,680 --> 00:36:35,440 start to think of this 1024 00:36:35,440 --> 00:36:37,040 and you probably do too if you've done 1025 00:36:37,040 --> 00:36:39,119 any threat modeling you see that data 1026 00:36:39,119 --> 00:36:41,119 flow diagram up there and you think 1027 00:36:41,119 --> 00:36:42,640 about oh yeah for threat modeling we 1028 00:36:42,640 --> 00:36:43,839 have to put together this whole data 1029 00:36:43,839 --> 00:36:45,280 flow diagram that maps out data 1030 00:36:45,280 --> 00:36:47,119 throughout our entire system where it 1031 00:36:47,119 --> 00:36:49,200 flows where it's stored where it's 1032 00:36:49,200 --> 00:36:50,960 processed the 1033 00:36:50,960 --> 00:36:53,040 trust boundaries that it crosses and we 1034 00:36:53,040 --> 00:36:54,480 got to know the whole system so that 1035 00:36:54,480 --> 00:36:56,640 requires us to have a big heavy design 1036 00:36:56,640 --> 00:37:00,240 session to make that happen doesn't it 1037 00:37:02,000 --> 00:37:03,359 [Music] 1038 00:37:03,359 --> 00:37:04,560 well no wonder we don't think it's 1039 00:37:04,560 --> 00:37:06,480 compatible with devsecops and then by 1040 00:37:06,480 --> 00:37:07,440 the way 1041 00:37:07,440 --> 00:37:08,800 after we've done that we're going to use 1042 00:37:08,800 --> 00:37:11,520 stride this thing this framework that we 1043 00:37:11,520 --> 00:37:14,240 use to classify threatened models 1044 00:37:14,240 --> 00:37:15,359 here's how we're going to classify our 1045 00:37:15,359 --> 00:37:17,280 threats and we're going to use really 1046 00:37:17,280 --> 00:37:18,000 con 1047 00:37:18,000 --> 00:37:19,760 technical terminology from the security 1048 00:37:19,760 --> 00:37:21,119 world we're going to talk about spoofing 1049 00:37:21,119 --> 00:37:22,880 and tampering and repudiation and 1050 00:37:22,880 --> 00:37:24,640 integrity 1051 00:37:24,640 --> 00:37:25,680 what 1052 00:37:25,680 --> 00:37:27,680 no one understands that come on we're 1053 00:37:27,680 --> 00:37:28,960 the only ones who get that but then 1054 00:37:28,960 --> 00:37:29,760 we're going to say that we're going to 1055 00:37:29,760 --> 00:37:31,440 create attack trees so there's another 1056 00:37:31,440 --> 00:37:33,359 process we have to map out all the 1057 00:37:33,359 --> 00:37:34,800 threats and how they turn into attack 1058 00:37:34,800 --> 00:37:36,720 trees to to realize those threats and 1059 00:37:36,720 --> 00:37:37,839 and we're gonna realize that some of 1060 00:37:37,839 --> 00:37:40,640 those some of those attack patterns 1061 00:37:40,640 --> 00:37:41,920 are impossible 1062 00:37:41,920 --> 00:37:43,520 so we're gonna scratch those off now 1063 00:37:43,520 --> 00:37:45,520 that's a lot of wasted effort oh and now 1064 00:37:45,520 --> 00:37:46,800 we're gonna use dread because now that 1065 00:37:46,800 --> 00:37:48,480 we've got our threats and our tax mapped 1066 00:37:48,480 --> 00:37:51,040 out well we got to prioritize them so we 1067 00:37:51,040 --> 00:37:53,040 are going to use dreaded as a framework 1068 00:37:53,040 --> 00:37:54,720 to help us do that and then we're going 1069 00:37:54,720 --> 00:37:56,160 to do this in the cyclical fashion we're 1070 00:37:56,160 --> 00:37:57,200 going to have to do this over and over 1071 00:37:57,200 --> 00:37:58,240 again 1072 00:37:58,240 --> 00:37:59,680 so that's all complex so then we're 1073 00:37:59,680 --> 00:38:00,640 going to create this thing called the 1074 00:38:00,640 --> 00:38:02,160 capex taxonomy because that's going to 1075 00:38:02,160 --> 00:38:06,078 make everything easier 1076 00:38:06,720 --> 00:38:09,359 does that look easy to you 1077 00:38:09,359 --> 00:38:11,920 doesn't to me this is why people don't 1078 00:38:11,920 --> 00:38:14,800 think devsecops and threat modeling can 1079 00:38:14,800 --> 00:38:17,040 possibly go together 1080 00:38:17,040 --> 00:38:18,480 but 1081 00:38:18,480 --> 00:38:20,480 i said that's a myth 1082 00:38:20,480 --> 00:38:21,680 and it is 1083 00:38:21,680 --> 00:38:23,520 because we can do this so much 1084 00:38:23,520 --> 00:38:24,800 differently 1085 00:38:24,800 --> 00:38:27,040 we need to think a little bit 1086 00:38:27,040 --> 00:38:28,320 differently 1087 00:38:28,320 --> 00:38:30,320 go back to the basics of threat modeling 1088 00:38:30,320 --> 00:38:32,880 for a minute and i know i've got 1089 00:38:32,880 --> 00:38:34,560 a colleague of mine she's probably 1090 00:38:34,560 --> 00:38:35,839 disappointed because i don't have the 1091 00:38:35,839 --> 00:38:37,839 slide in this particular deck you saw it 1092 00:38:37,839 --> 00:38:40,400 yesterday this is the infamous timmy 1093 00:38:40,400 --> 00:38:41,359 turner 1094 00:38:41,359 --> 00:38:43,200 attitude 1095 00:38:43,200 --> 00:38:45,520 threat modeling all it really is is 1096 00:38:45,520 --> 00:38:50,800 asking what could possibly go wrong 1097 00:38:52,000 --> 00:38:53,359 that's it 1098 00:38:53,359 --> 00:38:54,880 we don't need all these frameworks and 1099 00:38:54,880 --> 00:38:56,800 things we don't need all this 1100 00:38:56,800 --> 00:38:58,880 information we don't need 1101 00:38:58,880 --> 00:39:01,760 big design cycles 1102 00:39:01,760 --> 00:39:04,000 all we need to do is in plain language 1103 00:39:04,000 --> 00:39:06,400 define what are our critical assets and 1104 00:39:06,400 --> 00:39:11,599 what could possibly go wrong with them 1105 00:39:11,599 --> 00:39:12,560 now 1106 00:39:12,560 --> 00:39:14,480 we also want to push left 1107 00:39:14,480 --> 00:39:16,960 how much further left can you possibly 1108 00:39:16,960 --> 00:39:18,160 push 1109 00:39:18,160 --> 00:39:21,680 than the user story 1110 00:39:21,839 --> 00:39:24,400 that's where it begins it all starts at 1111 00:39:24,400 --> 00:39:25,920 the user story so if we can push 1112 00:39:25,920 --> 00:39:27,760 security practices left to the user 1113 00:39:27,760 --> 00:39:28,800 story 1114 00:39:28,800 --> 00:39:30,560 we've gone as far left as we could 1115 00:39:30,560 --> 00:39:32,480 possibly imagine and that's exactly 1116 00:39:32,480 --> 00:39:34,720 where we need to go so think about this 1117 00:39:34,720 --> 00:39:36,480 if threat modeling is just simply asking 1118 00:39:36,480 --> 00:39:38,560 what could possibly go wrong you do that 1119 00:39:38,560 --> 00:39:40,560 every day 1120 00:39:40,560 --> 00:39:43,119 every one of us does if you're my my 1121 00:39:43,119 --> 00:39:45,119 favorite example is you live in the 1122 00:39:45,119 --> 00:39:46,880 suburbs and you're going to go to the 1123 00:39:46,880 --> 00:39:49,440 city for a show 1124 00:39:49,440 --> 00:39:51,119 what are you going to think about you're 1125 00:39:51,119 --> 00:39:53,599 going to probably think about well where 1126 00:39:53,599 --> 00:39:55,280 am i going to find parking close enough 1127 00:39:55,280 --> 00:39:57,520 to the show how much is it going to cost 1128 00:39:57,520 --> 00:39:58,960 me 1129 00:39:58,960 --> 00:40:01,119 what happens if the car has issues on 1130 00:40:01,119 --> 00:40:02,480 the way down i get a flat tire or 1131 00:40:02,480 --> 00:40:03,520 whatever 1132 00:40:03,520 --> 00:40:05,280 is the area i'm going to and where i'm 1133 00:40:05,280 --> 00:40:08,319 going to park well lit and safe 1134 00:40:08,319 --> 00:40:10,240 what's the crime like in that area is 1135 00:40:10,240 --> 00:40:12,560 this an okay place to go what time do i 1136 00:40:12,560 --> 00:40:14,720 leave so i get there on time these are 1137 00:40:14,720 --> 00:40:16,319 all threats you're threat modeling in 1138 00:40:16,319 --> 00:40:17,680 your head and you're thinking about what 1139 00:40:17,680 --> 00:40:19,839 am i going to do about that so we want 1140 00:40:19,839 --> 00:40:23,040 our business people who write our user 1141 00:40:23,040 --> 00:40:25,040 stories to do the same 1142 00:40:25,040 --> 00:40:27,280 tell us what's important to you in this 1143 00:40:27,280 --> 00:40:30,400 just the scope of this user story 1144 00:40:30,400 --> 00:40:32,480 what critical assets are introduced or 1145 00:40:32,480 --> 00:40:34,960 being modified is it personal 1146 00:40:34,960 --> 00:40:37,280 information is it critical functions 1147 00:40:37,280 --> 00:40:39,839 that need to be available at all times 1148 00:40:39,839 --> 00:40:42,400 is is it you know financial assets or 1149 00:40:42,400 --> 00:40:44,640 trade secrets and then tell us what the 1150 00:40:44,640 --> 00:40:46,240 threats are is there a threat that they 1151 00:40:46,240 --> 00:40:49,200 could be stolen so there's a threat of 1152 00:40:49,200 --> 00:40:50,640 theft 1153 00:40:50,640 --> 00:40:52,720 is there a possibility of fraud 1154 00:40:52,720 --> 00:40:54,160 what are the key threats that you're 1155 00:40:54,160 --> 00:40:56,240 worried about and just put it in plain 1156 00:40:56,240 --> 00:40:58,640 language 1157 00:40:58,640 --> 00:41:01,280 because now this feeds the rest of our 1158 00:41:01,280 --> 00:41:03,200 pipeline and i'm going to show you how 1159 00:41:03,200 --> 00:41:05,440 this starts to progress us toward making 1160 00:41:05,440 --> 00:41:08,480 that pipeline faster and it shows our 1161 00:41:08,480 --> 00:41:11,599 teams how security can make them faster 1162 00:41:11,599 --> 00:41:13,520 and more efficient so i've got this 1163 00:41:13,520 --> 00:41:15,680 threat information in my backlog it's in 1164 00:41:15,680 --> 00:41:17,839 my user story i go and i pull that 1165 00:41:17,839 --> 00:41:19,599 user's story maybe as part of sprint 1166 00:41:19,599 --> 00:41:22,160 planning or i'm just a dev who is in a 1167 00:41:22,160 --> 00:41:24,560 really really fast-paced ci cd and i 1168 00:41:24,560 --> 00:41:26,720 just pull the next high priority item 1169 00:41:26,720 --> 00:41:28,319 next highest priority item off of the 1170 00:41:28,319 --> 00:41:30,160 backlog 1171 00:41:30,160 --> 00:41:31,839 i look at that threat information either 1172 00:41:31,839 --> 00:41:33,839 way and i can say i understand my 1173 00:41:33,839 --> 00:41:36,240 security requirements because they've 1174 00:41:36,240 --> 00:41:37,440 told me what's important here and 1175 00:41:37,440 --> 00:41:39,359 they've told me the threats so now as i 1176 00:41:39,359 --> 00:41:41,839 move into coding i can build security 1177 00:41:41,839 --> 00:41:44,319 controls 1178 00:41:44,319 --> 00:41:45,839 i can reference back if we're really 1179 00:41:45,839 --> 00:41:47,920 mature i can reference back to reference 1180 00:41:47,920 --> 00:41:50,480 architectures or design standards 1181 00:41:50,480 --> 00:41:52,560 engineering standards those things that 1182 00:41:52,560 --> 00:41:53,440 help 1183 00:41:53,440 --> 00:41:55,680 our developers be more 1184 00:41:55,680 --> 00:41:58,480 enabled to create these 1185 00:41:58,480 --> 00:42:00,720 security controls but it doesn't stop 1186 00:42:00,720 --> 00:42:02,560 there because i have this information 1187 00:42:02,560 --> 00:42:04,240 and now i know what security controls 1188 00:42:04,240 --> 00:42:06,319 i've prioritized and created well that 1189 00:42:06,319 --> 00:42:08,560 can feed my test cases 1190 00:42:08,560 --> 00:42:10,400 because now i know what's most important 1191 00:42:10,400 --> 00:42:12,240 from a security perspective so i can 1192 00:42:12,240 --> 00:42:14,480 feed that into my automated test cases 1193 00:42:14,480 --> 00:42:16,560 and then because that information is 1194 00:42:16,560 --> 00:42:19,280 there when i moved to deployment 1195 00:42:19,280 --> 00:42:21,520 my sres my ops teams everybody was 1196 00:42:21,520 --> 00:42:22,720 responsible 1197 00:42:22,720 --> 00:42:25,040 for that piece of it they understand how 1198 00:42:25,040 --> 00:42:27,359 to configure the monitoring to watch for 1199 00:42:27,359 --> 00:42:30,720 those potential threats 1200 00:42:30,720 --> 00:42:32,480 this is how threat modeling can fit in 1201 00:42:32,480 --> 00:42:34,319 here and is how threat modeling can be 1202 00:42:34,319 --> 00:42:39,359 used to make your pipeline faster 1203 00:42:39,359 --> 00:42:41,680 reduce works in progress 1204 00:42:41,680 --> 00:42:44,560 deploy quicker because security you're 1205 00:42:44,560 --> 00:42:46,400 responsible for it so this is how you 1206 00:42:46,400 --> 00:42:47,839 get there 1207 00:42:47,839 --> 00:42:50,720 use threat modeling not only is it not 1208 00:42:50,720 --> 00:42:52,720 incompatible 1209 00:42:52,720 --> 00:42:54,960 it's necessary and it's a huge asset to 1210 00:42:54,960 --> 00:42:56,960 you so let's start to 1211 00:42:56,960 --> 00:42:58,480 let's do this 1212 00:42:58,480 --> 00:43:00,400 now if you want to know more again go to 1213 00:43:00,400 --> 00:43:02,800 my talk from yesterday 1214 00:43:02,800 --> 00:43:05,040 see that talk pasta 1215 00:43:05,040 --> 00:43:07,440 octave stride oh my 1216 00:43:07,440 --> 00:43:09,040 and i'll give you more pointers in that 1217 00:43:09,040 --> 00:43:12,720 one on how you do this 1218 00:43:12,720 --> 00:43:14,640 last myth myth number five you guys 1219 00:43:14,640 --> 00:43:16,880 almost made it we're almost there 1220 00:43:16,880 --> 00:43:18,800 one more myth i need you security people 1221 00:43:18,800 --> 00:43:21,280 to stop putting out there and that is 1222 00:43:21,280 --> 00:43:23,280 this idea that we need to break down the 1223 00:43:23,280 --> 00:43:24,880 silos in order to build devsecops 1224 00:43:24,880 --> 00:43:27,839 culture 1225 00:43:28,560 --> 00:43:32,000 silos exist for a reason 1226 00:43:32,240 --> 00:43:34,160 because we need 1227 00:43:34,160 --> 00:43:36,000 people who specialize in certain 1228 00:43:36,000 --> 00:43:37,440 knowledge 1229 00:43:37,440 --> 00:43:39,359 when i say shared responsibility that 1230 00:43:39,359 --> 00:43:42,000 doesn't mean that i want my 1231 00:43:42,000 --> 00:43:43,839 security people 1232 00:43:43,839 --> 00:43:46,800 to be in there configuring databases 1233 00:43:46,800 --> 00:43:48,800 configuring 1234 00:43:48,800 --> 00:43:51,119 you know kubernetes clusters things of 1235 00:43:51,119 --> 00:43:52,560 that nature 1236 00:43:52,560 --> 00:43:55,520 i don't want my ops writing application 1237 00:43:55,520 --> 00:43:57,839 code 1238 00:43:58,240 --> 00:43:59,520 i want everybody to have an 1239 00:43:59,520 --> 00:44:01,920 understanding and to do their part 1240 00:44:01,920 --> 00:44:04,319 but we still want those expert those 1241 00:44:04,319 --> 00:44:06,640 areas of expertise we don't want to 1242 00:44:06,640 --> 00:44:09,440 break down silos we need to network 1243 00:44:09,440 --> 00:44:12,400 those silos 1244 00:44:12,400 --> 00:44:15,040 we want them to talk and work together 1245 00:44:15,040 --> 00:44:16,560 productively 1246 00:44:16,560 --> 00:44:19,200 build up scrum teams let's dive into 1247 00:44:19,200 --> 00:44:20,560 that let's talk about this before i get 1248 00:44:20,560 --> 00:44:23,119 ahead of myself 1249 00:44:23,119 --> 00:44:26,160 building that empathy and culture 1250 00:44:26,160 --> 00:44:30,240 is how we network these silos together 1251 00:44:30,240 --> 00:44:32,000 empathy is one of the things that i 1252 00:44:32,000 --> 00:44:34,240 think is so underrated i but i'm glad 1253 00:44:34,240 --> 00:44:35,520 i'm hearing more and more people talk 1254 00:44:35,520 --> 00:44:37,920 about the need for it in security we 1255 00:44:37,920 --> 00:44:40,319 need it in devsecops 1256 00:44:40,319 --> 00:44:42,000 because it's how we make all this work 1257 00:44:42,000 --> 00:44:44,560 it's how we network across silos and 1258 00:44:44,560 --> 00:44:46,960 make sure that instead of breaking down 1259 00:44:46,960 --> 00:44:50,640 silos we make the silos work together 1260 00:44:50,640 --> 00:44:53,680 in concert with each other 1261 00:44:53,680 --> 00:44:55,520 one of the ways you can do this is this 1262 00:44:55,520 --> 00:44:58,000 idea of walking a mile in their shoes 1263 00:44:58,000 --> 00:45:02,240 job shadowing get dev and sec and ops 1264 00:45:02,240 --> 00:45:03,760 spending time 1265 00:45:03,760 --> 00:45:06,560 working in each other's roles and don't 1266 00:45:06,560 --> 00:45:09,920 just use your junior devs don't just use 1267 00:45:09,920 --> 00:45:12,800 your junior security analysts send the 1268 00:45:12,800 --> 00:45:14,560 senior folks i know it's tough because 1269 00:45:14,560 --> 00:45:15,920 they're very productive and you don't 1270 00:45:15,920 --> 00:45:18,880 want to give up that productivity 1271 00:45:18,880 --> 00:45:20,480 but they're the ones who will have the 1272 00:45:20,480 --> 00:45:22,400 best perspective to bring that back to 1273 00:45:22,400 --> 00:45:23,599 the team 1274 00:45:23,599 --> 00:45:25,359 and this is all about building that 1275 00:45:25,359 --> 00:45:27,920 empathy where now they understand what 1276 00:45:27,920 --> 00:45:30,079 the people in security what the people 1277 00:45:30,079 --> 00:45:32,400 in ops are dealing with as a result of 1278 00:45:32,400 --> 00:45:35,040 what comes to them from the development 1279 00:45:35,040 --> 00:45:36,960 side and now they can start to shape 1280 00:45:36,960 --> 00:45:38,960 that they start interfacing with those 1281 00:45:38,960 --> 00:45:41,200 people on a daily basis and it humanizes 1282 00:45:41,200 --> 00:45:45,879 each other and now they interact better 1283 00:45:46,160 --> 00:45:48,319 from a security perspective if we're 1284 00:45:48,319 --> 00:45:49,920 going to talk about 1285 00:45:49,920 --> 00:45:53,440 new processes new tools anything 1286 00:45:53,440 --> 00:45:56,319 we have got to meet them where they live 1287 00:45:56,319 --> 00:45:59,200 provide resources and tooling that fit 1288 00:45:59,200 --> 00:46:01,760 in the pipeline 1289 00:46:01,760 --> 00:46:04,160 this is knowledge this is processes this 1290 00:46:04,160 --> 00:46:06,240 is tooling it's all of it make sure that 1291 00:46:06,240 --> 00:46:08,400 if you're going to introduce a new piece 1292 00:46:08,400 --> 00:46:10,800 of security tooling maybe you're 1293 00:46:10,800 --> 00:46:14,000 launching a new sca platform or some new 1294 00:46:14,000 --> 00:46:17,599 cloud security product 1295 00:46:17,839 --> 00:46:21,760 how does that tie into their pipeline 1296 00:46:21,760 --> 00:46:24,319 can it be automated 1297 00:46:24,319 --> 00:46:27,040 can their build scripts automate that 1298 00:46:27,040 --> 00:46:30,079 can the results be automated into new 1299 00:46:30,079 --> 00:46:33,440 entries in the backlog 1300 00:46:36,880 --> 00:46:38,640 how do we make this happen make sure 1301 00:46:38,640 --> 00:46:39,920 everything 1302 00:46:39,920 --> 00:46:41,119 plugs in 1303 00:46:41,119 --> 00:46:42,960 to their existing tooling 1304 00:46:42,960 --> 00:46:47,359 this is how we eliminate friction 1305 00:46:47,440 --> 00:46:48,160 so 1306 00:46:48,160 --> 00:46:51,280 while automation isn't 1307 00:46:51,280 --> 00:46:54,079 the only part of devsecops it is still 1308 00:46:54,079 --> 00:46:57,760 part of those five areas we talked about 1309 00:46:57,760 --> 00:46:59,680 to building that culture so make sure 1310 00:46:59,680 --> 00:47:01,760 you meet them where they live give them 1311 00:47:01,760 --> 00:47:04,000 tools that are familiar to them things 1312 00:47:04,000 --> 00:47:06,400 that plug into their ide so they don't 1313 00:47:06,400 --> 00:47:08,400 have to learn a new way of doing their 1314 00:47:08,400 --> 00:47:10,800 job they don't have to add additional 1315 00:47:10,800 --> 00:47:13,040 complexity to the things that they're 1316 00:47:13,040 --> 00:47:13,920 doing 1317 00:47:13,920 --> 00:47:16,400 so that they can continue to improve the 1318 00:47:16,400 --> 00:47:20,560 speed and reduce works in progress 1319 00:47:21,119 --> 00:47:23,280 then it's about paving the road 1320 00:47:23,280 --> 00:47:25,200 so as you're building this as you're 1321 00:47:25,200 --> 00:47:27,760 looking at it in terms of tool selection 1322 00:47:27,760 --> 00:47:28,800 you're throwing it out there you're 1323 00:47:28,800 --> 00:47:31,440 enabling your developers now comes that 1324 00:47:31,440 --> 00:47:34,559 idea of income of accountable trust 1325 00:47:34,559 --> 00:47:36,800 how many of us deal with security teams 1326 00:47:36,800 --> 00:47:39,280 who are overwhelmed with work we can't 1327 00:47:39,280 --> 00:47:41,119 keep up with 1328 00:47:41,119 --> 00:47:43,359 all of the demands of you know trying to 1329 00:47:43,359 --> 00:47:44,880 review all the software that comes our 1330 00:47:44,880 --> 00:47:47,599 way from our development teams 1331 00:47:47,599 --> 00:47:50,079 make them accountable trust them to do 1332 00:47:50,079 --> 00:47:52,000 the right thing trust them to see that 1333 00:47:52,000 --> 00:47:54,079 if there is a better way 1334 00:47:54,079 --> 00:47:57,119 they can accomplish the same objective 1335 00:47:57,119 --> 00:47:58,880 in that other way 1336 00:47:58,880 --> 00:48:01,440 and enable them to do that you trust 1337 00:48:01,440 --> 00:48:03,280 them but you trust them because you've 1338 00:48:03,280 --> 00:48:04,800 built a culture where they understand 1339 00:48:04,800 --> 00:48:06,480 that they're accountable 1340 00:48:06,480 --> 00:48:09,359 this takes time it takes effort and 1341 00:48:09,359 --> 00:48:11,040 security still needs some level of 1342 00:48:11,040 --> 00:48:13,759 oversight 1343 00:48:13,920 --> 00:48:15,760 but at the end of the day this is how we 1344 00:48:15,760 --> 00:48:17,839 get better because we can't keep up we 1345 00:48:17,839 --> 00:48:20,160 don't have those unlimited budgets it 1346 00:48:20,160 --> 00:48:22,800 just doesn't happen 1347 00:48:22,800 --> 00:48:26,319 pave the road put the path make it so 1348 00:48:26,319 --> 00:48:28,400 that the secure way to get there is the 1349 00:48:28,400 --> 00:48:30,240 easiest way to get there 1350 00:48:30,240 --> 00:48:32,800 but then if you're wrong enable them to 1351 00:48:32,800 --> 00:48:37,280 change that path and pave their own road 1352 00:48:37,280 --> 00:48:39,839 and then finally mutual engagement when 1353 00:48:39,839 --> 00:48:42,720 we're talking about empathy this is huge 1354 00:48:42,720 --> 00:48:45,119 how many of you invite your sres and 1355 00:48:45,119 --> 00:48:47,440 your security team 1356 00:48:47,440 --> 00:48:49,920 to your your scrums to your daily 1357 00:48:49,920 --> 00:48:51,680 stand-ups 1358 00:48:51,680 --> 00:48:53,119 to your sprint planning to your 1359 00:48:53,119 --> 00:48:55,200 retrospectives 1360 00:48:55,200 --> 00:48:56,800 do they come to your risk committee 1361 00:48:56,800 --> 00:49:00,480 meetings your devs and your ops teams 1362 00:49:00,480 --> 00:49:02,960 they should you should all be 1363 00:49:02,960 --> 00:49:05,920 interacting on a daily basis 1364 00:49:05,920 --> 00:49:07,760 when these daily activities include 1365 00:49:07,760 --> 00:49:10,000 everybody this builds that idea of 1366 00:49:10,000 --> 00:49:12,480 shared responsibility where everybody 1367 00:49:12,480 --> 00:49:14,000 understands that while they bring their 1368 00:49:14,000 --> 00:49:16,000 own expertise and perspectives they're 1369 00:49:16,000 --> 00:49:18,160 ultimately all responsible for the same 1370 00:49:18,160 --> 00:49:19,200 thing 1371 00:49:19,200 --> 00:49:21,119 that's how you get to a devsecops 1372 00:49:21,119 --> 00:49:23,599 culture you need to get everybody 1373 00:49:23,599 --> 00:49:26,319 into that mode of we work together for 1374 00:49:26,319 --> 00:49:28,240 the same objectives 1375 00:49:28,240 --> 00:49:30,880 creating that mutual engagement drives 1376 00:49:30,880 --> 00:49:33,520 that culture it builds that empathy and 1377 00:49:33,520 --> 00:49:35,760 again it humanizes each other where we 1378 00:49:35,760 --> 00:49:37,680 understand the challenges and we don't 1379 00:49:37,680 --> 00:49:39,119 just make assumptions when we see 1380 00:49:39,119 --> 00:49:40,319 something we don't like that it's 1381 00:49:40,319 --> 00:49:43,520 because somebody was being lazy 1382 00:49:43,520 --> 00:49:45,520 so it's just about time for me to wrap 1383 00:49:45,520 --> 00:49:48,160 up here but as i usually do i want to 1384 00:49:48,160 --> 00:49:49,599 leave you with a quote and this one 1385 00:49:49,599 --> 00:49:51,200 comes from henry ford 1386 00:49:51,200 --> 00:49:53,599 coming together is the beginning 1387 00:49:53,599 --> 00:49:55,040 creating an organization of lots of 1388 00:49:55,040 --> 00:49:56,319 different people 1389 00:49:56,319 --> 00:49:58,599 keeping together is progress so 1390 00:49:58,599 --> 00:50:00,880 establishing those processes and things 1391 00:50:00,880 --> 00:50:02,960 that we all work within 1392 00:50:02,960 --> 00:50:04,559 but working 1393 00:50:04,559 --> 00:50:05,920 together 1394 00:50:05,920 --> 00:50:08,640 the shared responsibility is where we 1395 00:50:08,640 --> 00:50:11,040 find success 1396 00:50:11,040 --> 00:50:14,960 that is the key to devsecops that is the 1397 00:50:14,960 --> 00:50:18,720 vision that patrick and andrew and gene 1398 00:50:18,720 --> 00:50:20,160 and josh 1399 00:50:20,160 --> 00:50:22,880 laid out for us so many years ago 1400 00:50:22,880 --> 00:50:24,559 that we need to keep driving for 1401 00:50:24,559 --> 00:50:26,559 security practitioners we need to 1402 00:50:26,559 --> 00:50:29,359 understand how we 1403 00:50:29,359 --> 00:50:32,160 insecurity 1404 00:50:32,160 --> 00:50:34,559 need to be just as responsible 1405 00:50:34,559 --> 00:50:36,160 as our developers 1406 00:50:36,160 --> 00:50:38,559 and as our operations teams 1407 00:50:38,559 --> 00:50:41,119 and we can make this work 1408 00:50:41,119 --> 00:50:41,839 so 1409 00:50:41,839 --> 00:50:43,920 did i get it wrong 1410 00:50:43,920 --> 00:50:47,440 am i completely out of my guard 1411 00:50:47,440 --> 00:50:49,680 do you want to nitpick something i said 1412 00:50:49,680 --> 00:50:51,359 and i didn't quite get it right let me 1413 00:50:51,359 --> 00:50:53,599 know interact with me here's my social 1414 00:50:53,599 --> 00:50:55,520 media information twitter is by far the 1415 00:50:55,520 --> 00:50:57,440 easiest way you've got my linkedin 1416 00:50:57,440 --> 00:50:59,200 information there as well my website you 1417 00:50:59,200 --> 00:51:01,119 can contact me through there 1418 00:51:01,119 --> 00:51:02,640 find out where i'm speaking next if you 1419 00:51:02,640 --> 00:51:04,559 want to catch me at a real life 1420 00:51:04,559 --> 00:51:05,920 conference since we're starting to get 1421 00:51:05,920 --> 00:51:08,400 back to those now 1422 00:51:08,400 --> 00:51:09,760 come talk to me 1423 00:51:09,760 --> 00:51:11,760 share your ideas criticize what i've 1424 00:51:11,760 --> 00:51:14,800 said challenge me let's all get better 1425 00:51:14,800 --> 00:51:16,160 at this 1426 00:51:16,160 --> 00:51:18,480 so finally as i'm wrapping up 1427 00:51:18,480 --> 00:51:21,520 big big big big thank you 1428 00:51:21,520 --> 00:51:23,920 thank you circle citycon it has been my 1429 00:51:23,920 --> 00:51:26,880 honor to be able to present here today 1430 00:51:26,880 --> 00:51:28,960 and yesterday too 1431 00:51:28,960 --> 00:51:30,720 thank you s p ratings for making it 1432 00:51:30,720 --> 00:51:32,720 possible for me to be here to share some 1433 00:51:32,720 --> 00:51:34,480 of the experiences that i've developed 1434 00:51:34,480 --> 00:51:38,720 just working through that organization 1435 00:51:38,720 --> 00:51:41,599 but most importantly thank all of you 1436 00:51:41,599 --> 00:51:44,319 thank you so much for being here thank 1437 00:51:44,319 --> 00:51:46,960 you for your support not only of me not 1438 00:51:46,960 --> 00:51:49,680 only of this conference 1439 00:51:49,680 --> 00:51:51,119 but the whole idea of making our 1440 00:51:51,119 --> 00:51:53,599 security community better i love you all 1441 00:51:53,599 --> 00:51:55,760 thank you very much have a wonderful 1442 00:51:55,760 --> 00:52:00,280 rest of your weekend take care