Introduction to DevSecOps Quintessence Anx
A presentation at PagerDuty Summit in June 2021 in by Quintessence Anx
Introduction to DevSecOps Quintessence Anx
Quintessence Anx Developer Advocate, PagerDuty
Mandi Walls Developer Advocate, PagerDuty Nasim Yazdani Program Manager, PagerDuty
Getting Started If you have not already joined, please create a community account at community.pagerduty.com/join/pdu We will have a variety of sessions and workshop breakouts to test your knowledge throughout the course in our community. Redeem points for swag! ● ● ● Introductions 2 Knowledge Checks Post-Course Survey
📸 Doppler Team
Earn Points! 📝 Link in Chat
Agenda 1 Introduction 2 What is DevSecOps? 3 Cultural Shifts 4 Shifting Left 5 Q&A
Don’t Panic
This will be an interactive workshop, as much as possible
I’ll be doing (some) live questions in the presentation.
Questions will be via Slido
And so it begins…
Introduction & Context Setting
How do you feel development, operations, and security work together today? ⓘ Start presenting to display the poll results on this slide.
Dev+Ops: how do you feel when you need to work with security? Security: how do you feel when you need to work with dev and/or ops? ⓘ Start presenting to display the poll results on this slide.
A few questions about The Phoenix Project
Have you read The Phoenix Project? ⓘ Start presenting to display the poll results on this slide.
How well do you recall the story overall? ⓘ Start presenting to display the poll results on this slide.
Which character do you most identify with, in terms of your current role or career? ⓘ Start presenting to display the poll results on this slide.
A Basic Phoenix Project Org Chart
A Basic Phoenix Project Org Chart
Let’s reflect on this for a moment
How favorably did Bill talk about developers? ⓘ Start presenting to display the poll results on this slide.
How favorably did Bill talk about security? ⓘ Start presenting to display the poll results on this slide.
How did you view security in this interaction? ⓘ Start presenting to display the poll results on this slide.
Empathy exercise: how do you think security felt in this interaction, or in parallel real world scenarios? ⓘ Start presenting to display the poll results on this slide.
Let’s discuss.
What and How of DevSecOps
What was that all about? 🤨
Current Situation
Vaulting over “the wall”
DevSecOps
DevSecOps is the set of cultural practices that aims to break down the silo between security and development+operations.
Specifically, DevSecOps seeks to address the organizational friction that exists between these teams and departments.
What DevSecOps is not
DevSecOps is not replacing security with dev and/or ops, or expecting dev and/or ops to become security specialists, or expecting security to become devs and/or ops.
Phew.
DevSecOps is supported by both human activity and tooling.
The first step on your DevSecOps journey: awareness.
Best Practices are a Journey, not a One Size Fits All
There are a lot of Best Practices relevant to DevSecOps - so you’ll need to be aware of self and organization to be able to apply and iterate.
Curious: How many of you are interested in cross discipline learning? ⓘ Start presenting to display the poll results on this slide.
What are some ideas you have for implementing DevSecOps in your company? ⓘ Start presenting to display the poll results on this slide.
DevSecOps is implemented by …
Cultural Changes: Cross Functional Awareness and Empathy
Shifting Left in the Secure Software Development Life Cycle
Security Incident Remediation Process
Let’s talk culture first
Cultural Changes
Cultural Aptitude & Empathy
Blameless Culture
Full Service Ownership
Shadowing
By helping each other, we help ourselves.
Security Champions Program
What are some ways you can support a DevSecOps transformation at your company? ⓘ Start presenting to display the poll results on this slide.
Shifting Left
Secure SDLC
What are some security activities? ⓘ Start presenting to display the poll results on this slide.
Another Secure SDLC
Why is it called “shift left”?
An FTL Overview
Secure Design and Code
Secure Building, Testing, Delivery, & Deployment
Secure Runtime and Monitoring
Your Mileage May Vary
Everyone is relevant
Improve Security Posture
Security Posture
A company’s security posture is their overall readiness against security threats.
What are some ways that your security team helps improve your security posture? ⓘ Start presenting to display the poll results on this slide.
Always Ask
�� What do you do even do here? ⛔
�� How do you help us with ${X}? ✅
Security Assessments
Threat Modeling Exercises
Capture the Flag Games
Socially Engineer Trainings
Do not trick staff, ever
Example Security Training Slides
How many of you have attended a standard security training and received benefit from it? ⓘ Start presenting to display the poll results on this slide.
Security Training Ops Guide
Do you think a training like that would be more beneficial to your organization? ⓘ Start presenting to display the poll results on this slide.
True or false: Once we do All The Things we will be secure, forever! ⓘ Start presenting to display the poll results on this slide.
Secure Incident Response
Security & Incident Response
A security incident is an incident that actually or potentially violates the security policies of a system or information that the system processes, stores, and/or transmits.
When to trigger a security incident
What happens next?
The Fourteen Steps 1. Stop the attack in progress. 2. Cut off the attack vector. 3. Assemble the response team. 4. Isolate affected instances. 5. Identify timeline of attack. 6. Identify compromised data. 7. Assess risk to other systems. 9. Apply additional mitigations, additions to monitoring, etc. 10. Forensic analysis of compromised systems. 11. Internal communication. 12. Involve law enforcement. 13. Reach out to external parties that may have been used as vector for attack. 14. External communication. 8. Assess risk of re-attack.
Step 1: Stop the attack in progress.
Step 2: Cut off the attack vector.
Step 3: Assemble the response team.
Step 4: Isolate affected instances.
Step 5: Identify timeline of attack
Step 6: Identify compromised data.
Step 7: Assess risk to other systems.
Step 8: Assess risk of re-attack.
Step 9: Apply additional mitigations, additions to monitoring, etc.
Step 10: Forensic analysis of compromised systems.
Step 11: Internal communication
Step 12: Involve law enforcement.
Step 13: Reach out to external parties that may have been used as a vector for attack.
Step 14: External communication
The Fourteen Steps (Recap) 1. Stop the attack in progress. 2. Cut off the attack vector. 3. Assemble the response team. 4. Isolate affected instances. 5. Identify timeline of attack. 6. Identify compromised data. 7. Assess risk to other systems. 9. Apply additional mitigations, additions to monitoring, etc. 10. Forensic analysis of compromised systems. 11. Internal communication. 12. Involve law enforcement. 13. Reach out to external parties that may have been used as vector for attack. 14. External communication. 8. Assess risk of re-attack.
References and Resources
Resources PagerDuty DevSecOps Guide devsecops.pagerduty.com All PagerDuty Ops Guides - including security training pagerduty.com/ops-guides/ STRIDE Threat Modeling Framework ThoughtWorks Implementation Link About Capture the Flag (for InfoSec) ctf101.org Resources also available at the PagerDuty University Booth
📸 Purple Team
Final Exam! (Kidding, but really earn some points ☺) Link in Chat
Thank You Final Swag Challenge: Survey (in chat)
