DevOpsDays 2023: Security is about to become a DevOps Problem
chipadeedoodah
1 views
24 slides
Oct 16, 2025
Slide 1 of 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
About This Presentation
"Shift Left" increasingly means "It's a DevOps problem now," and organizations are trying to combine defensive security into operations and devops roles in a new "DevSecOps" movement.
Forever asked to do more with less, DevOps teams are facing yet more additional r...
Slide Content
Security is about to become a DevOps Problem What are you going to do about it?
The Next 20 Minutes Strategic goals Tooling demo InfoSec Team 101 DevOps This is a security talk at a DevOps conference, why are you here? Why the cnspec project will give you a leg up dealing with your new problem space The people part of security teams, CISOs, and why “shift left” means more work for you High-level DevOps strategy, explaining my perspective on the movement
Spent five years at Chef pioneering the practice of testing Infrastructure as Code with Inspec and Test Kitchen Sysadmin for hire since 1995 Part of the DevOps movement since 2010 Working with security vendors since 2017 Internet user since 1992 Lorem ipsum dolor sit amet, conse lectus Why you should listen to me “ “
I’m going to tell you what DevOps is, and I’m going to be right (No, seriously. Gene Kim & John Willis say so.)
DevOps means solving 5 Predictable Bottlenecks Teams must be able to create an environment for your app on-demand 1. Environment Creation ‹#› Every change should be tested prior to production. 3. Testing Deploying your project must be a single-step process, as fast as possible. 2. Code Deployment Loosely-coupled architecture results in diminished blast radius for failed changes. 4. Architecture “The constraint ends up being product owners, and how many ideas they can come up with.” – Adrian Cockroft, Netflix // Roy Rappaport, Netfix 5. Ideas Beyond The Phoenix Project: The Origins and Evolution Of DevOps 2018 Gene Kim and John Willis
‹#› “Combining continuous delivery, loosely-coupled architecture, version control, and continuous integration fosters software delivery performance that is greater than the sum of its parts.” – DORA 2022 State of DevOps Report
Empathy for the Security team
‹#› Average CISO tenure: 18-26 months https://www.cylumena.com/insights/ciso-turnover-problem/
Security teams theoretically have the power to stop value delivery (though in practice they are almost always overruled) Security breaches typically don’t impact the bottom line High CISO turnover has created unstable information security organizations stock prices during and following the high profile security data breaches... have decreased slightly or quickly recovered following the breach. – Harvard Business Review Security gets sidelined ‹#› “ “ https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices
How it started
How it’s going
People are getting (bad) ideas
What you should do
Strategic Goals for Devops adopting automated testing Cover the first two bottlenecks first The practices that make your DevOps teams effective at delivering highly available, high-quality sites will also enable effective security practices. 1 Automate acceptance testing You need to test that the infrastructure you built continues to match specifications 2 Automate evidence collection for compliance Your (Dockerfile | Helm chart | Terraform | Kubernetes Manifest) is not proof 3 ‹#›
Cover the First Two Bottlenecks First Build and tear down environments at least weekly. Preferably hourly. Automate environment creation Deploy as often as is safe for your business. Deploy to dev on every commit. Automate deployment Every build should result in an immutable artifact, even if you’re shipping to a JIT runtime. Embrace Immutable Artifacts ‹#›
Automate Security & Compliance testing Functional Security Compliance Deploy … and fail builds on security & compliance checks
Test the whole supply chain Products like Snyk and Sonatype find problems in upstream libraries. Dependencies (SBOM) Check your IAC code, and also your build infrastructure. Infrastructure automation Don’t forget to test Github/Gitlab, and any other API-based services your company depends on such as OKTA/Auth0, Slack, MS365, Google Apps, or LaunchDarkly. SCM and Services ‹#›
Your Dockerfile isn’t evidence To an auditor, your source code and pipelines are implementation details. All they care about are the finished artifacts. “Just one more thing… Does that container run as root?”
Demo Time ‹#›
cn spec is an open source tool that evaluates the security & compliance of your entire infrastructure. Using a free policy library, cn spec identifies gaps that attackers can use to breach your systems. Wide provider ecosystem: cn spec connects to a huge variety of services. From the creators of Chef Inspec Policies are based on the MQL query language (think GraphQL with assertions) ‹#› cn spec https:// cnspec.io
Anatomy of policy-as-code ‹#› Describe the intent of the policy. Amazon Linux 2023 Baseline Name Describe what the test will prove Ensure DHCP Server packages are not installed Check package("dhcp").installed == false package("isc-dhcp-server").installed == false Assertion
One Check Enforced Everywhere ‹#› Static analysis: Terraform Ensure GCS buckets include a git_org label Assertion at Source Static analysis: Terraform plan Ensure GCS buckets include a git_org label Assertion at Plan Inspect the GCP configuration at the API Ensure GCS buckets include a git_org label Assertion at Infrastructure
Live Demo
About Me @Jeffersonstarchip Mastodon: Hachyderm.io https://www.linkedin.com/in/jeffersonstarchip/ LinkedIn [email protected] Email Chip Johnson is a Product Manager at Mondoo, focused on making tools you'll love. He's been a part of the DevOps community since 2010, and making and breaking things on the internet since 1992. He most recently held positions at Auth0, Sonatype, and Chef Software. ‹#›
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1
- Slides 24
- Age 46 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views