how to e ff ect change in the epistemological wasteland
play

How to e ff ect change in the Epistemological Wasteland of - PowerPoint PPT Presentation

How to e ff ect change in the Epistemological Wasteland of Application Security James Wickett How to effect change in the Epistemological wasteland of Application Security - @wickett James Wickett S R . E NGINEER , S IGNAL S CIENCES A


  1. How to e ff ect change in the Epistemological Wasteland of Application Security James Wickett

  2. How to effect change in the Epistemological wasteland of Application Security - @wickett

  3. James Wickett S R . E NGINEER , S IGNAL S CIENCES A USTIN , TX H ANDS - ON G AUNTLT B OOK D EV O PS D AYS G LOBAL O RGANIZER LASCON O RGANIZER @wickett #ruggeddevops

  4. Application Security Monitoring and Instrumentation Application Security you can use! An approach that integrates with devops organizations Productizing the Etsy security approach

  5. signalsciences.com

  6. Summary Software development has been a constant experiment in how we know anything Application Security abdicated runtime responsibility and effectively abdicated development responsibility through incoherent philosophical approaches and fostering organizational silos DevOps is here to stay, and security can actually be a part of it Ops found a way to add value, security needs to find that same path There are three ways we can add value: at development, at deploy, at runtime @wickett #ruggeddevops

  7. A study in how we know anything in Application Security @wickett #ruggeddevops

  8. Spoiler Alert: We don’t ! @wickett #ruggeddevops

  9. once upon a time… @wickett #ruggeddevops

  10. Epistemological Problem of Software Development @wickett #ruggeddevops

  11. We optimize for the probable @wickett #ruggeddevops

  12. Unit Testing @wickett #ruggeddevops

  13. Integration Testing @wickett #ruggeddevops

  14. Happy Path Engineering @wickett #ruggeddevops

  15. We also optimize for the possible @wickett #ruggeddevops

  16. Over Engineering @wickett #ruggeddevops

  17. The scaling algo that never got used… @wickett #ruggeddevops

  18. There is too much to choose from in the realm of possible @wickett #ruggeddevops

  19. Actually, we optimize for the perceived probable @wickett #ruggeddevops

  20. How do we know what to create? @wickett #ruggeddevops

  21. This is the problem @wickett #ruggeddevops

  22. Epistemological Problem of Software Development @wickett #ruggeddevops

  23. We gather data and rhetoric to support our theories @wickett #ruggeddevops

  24. There are 3 major arcs in the history of Software Development @wickett #ruggeddevops

  25. First Arc: Agile @wickett #ruggeddevops

  26. Agile avoids the problem @wickett #ruggeddevops

  27. Agile reminds that we dont know what we are building @wickett #ruggeddevops

  28. @wickett #ruggeddevops

  29. Behavior Driven Development @wickett #ruggeddevops

  30. BDD = Agile + feedback @wickett #ruggeddevops

  31. Behavior Driven Development is a second-generation, outside–in, pull- based, multiple-stakeholder, multiple- scale, high-automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters. Dan North , 2009 @wickett #ruggeddevops

  32. Amplify Feedback Loop @wickett #ruggeddevops

  33. Agile emphasizes feedback to developers from their overlords and sometimes even customers @wickett #ruggeddevops

  34. TLDR; Rapid Iterations Win @wickett #ruggeddevops

  35. Agile is our guiding Light @wickett #ruggeddevops

  36. The world has changed since Agile @wickett #ruggeddevops

  37. We don’t sell CD’s anymore @wickett #ruggeddevops

  38. Software as a Service @wickett #ruggeddevops

  39. The last fifteen years have brought a complete change in our delivery cadence, distribution mechanisms and revenue models @wickett #ruggeddevops

  40. Second Arc: DevOps @wickett #ruggeddevops

  41. DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK @wickett #ruggeddevops

  42. DEVOPS @wickett #ruggeddevops

  43. Agile Infrastructure @wickett #ruggeddevops

  44. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr @wickett #ruggeddevops

  45. Less WIP Less technical debt @wickett #ruggeddevops

  46. Customers actually using the feature while the developer is working on it @wickett #ruggeddevops

  47. Great side effect: Produces Happy Developers @wickett #ruggeddevops

  48. @wickett #ruggeddevops

  49. @wickett #ruggeddevops

  50. Devops realized that ops doesn’t know what devs know and vice versa @wickett #ruggeddevops

  51. Dev : Ops 10 : 1 @wickett #ruggeddevops

  52. DevOps is an Epistemological breakthrough joining people around a common problem @wickett #ruggeddevops

  53. Culture is the most important aspect to devops succeeding in the enterprise - Patrick DeBois @wickett #ruggeddevops

  54. Culture is shaped in part by values @wickett #ruggeddevops

  55. @wickett #ruggeddevops

  56. Mutual Understanding Shared Language Shared Views Collaborative Tooling @wickett #ruggeddevops

  57. DEVOPS IS THE INEVITABLE RESULT OF NEEDING TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED COMPUTING AND CLOUD] ENVIRONMENT. - TOM LIMONCELLI @wickett #ruggeddevops

  58. https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf @wickett #ruggeddevops

  59. TLDR; High-performing IT organizations experience 60X fewer failures and recover from failure 168X faster than their lower-performing peers. They also deploy 30X more frequently with 200X shorter lead times. @wickett #ruggeddevops

  60. Culture Automation Measurement Sharing e p u l a g a h c t o b @ s , d r a w d e n o m a d @ - @wickett #ruggeddevops

  61. Devops gone wrong @wickett #ruggeddevops

  62. “THAT THE WORD #DEVOPS GETS REDUCED TO TECHNOLOGY IS A MANIFESTATION OF HOW BADLY WE NEED A CULTURAL SHIFT” - @PATRICKDEBOIS http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops @wickett #ruggeddevops

  63. Third Arc: Continuous Delivery @wickett #ruggeddevops

  64. Continuous Delivery is not merely how often you deliver but how little you can deliver at a time @wickett #ruggeddevops

  65. Delivery Pipelines are rad! @wickett #ruggeddevops

  66. Batch Size of 1 @wickett #ruggeddevops

  67. Separation of Duties Considered Harmful @wickett #ruggeddevops

  68. Give power to the Developers to deploy @wickett #ruggeddevops

  69. Reduce Code Latency Increase Code Velocity @wickett #ruggeddevops

  70. 3 Arcs: Agile DevOps Continuous Delivery @wickett #ruggeddevops

  71. The next Arc: Security Rugged @wickett #ruggeddevops

  72. “…Those stupid developers” - Security person @wickett #ruggeddevops

  73. “Security prefers a system powered off and unplugged” - Developer @wickett #ruggeddevops

  74. Cultural Unrest with security in most organizations @wickett #ruggeddevops

  75. Compliance Driven Culture @wickett #ruggeddevops

  76. “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” @wickett #ruggeddevops

  77. Security is where ops was 5 years ago… @wickett #ruggeddevops

  78. Dev : Ops : Sec 100 : 10 : 1 @wickett #ruggeddevops

  79. Understaffing means no one thinks security helps the business win @wickett #ruggeddevops

  80. DevOps changed that for Ops, security can change too @wickett #ruggeddevops

  81. Netflix demonstrated that people care about resiliency @wickett #ruggeddevops

  82. Innately, we all care @wickett #ruggeddevops

  83. Rugged Software Movement @wickett #ruggeddevops

  84. #ruggeddevops @wickett #ruggeddevops

  85. https://vimeo.com/54250716 @wickett #ruggeddevops

  86. http://www.youtube.com/watch?v=jQblKuMuS0Y @wickett #ruggeddevops

  87. Security’s way forward is to help developers and help operations @wickett #ruggeddevops

  88. Start there @wickett #ruggeddevops

  89. Let’s review Security’s approach thus far @wickett #ruggeddevops

  90. BadIdea #1 Applications can’t be defended—Web App Firewalls Suck! lets do developer training @wickett #ruggeddevops

  91. @wickett #ruggeddevops

  92. @wickett #ruggeddevops

  93. Awareness campaign OWASP Top Ten @wickett #ruggeddevops

  94. We abandoned knowing anything useful about the Runtime @wickett #ruggeddevops

  95. Instead Add Defense based on behaviors @wickett #ruggeddevops

  96. BadIdea #2 Developers can’t figure it out. lets scan for vulnerabilities instead @wickett #ruggeddevops

  97. “here is a 400 page PDF of our findings to prove your developers don't get it!” - The Pen tester @wickett #ruggeddevops

  98. Even with the emphasis on appsec training, in practice we made it a dark art @wickett #ruggeddevops

  99. Integrated rugged testing should sit inside the pipeline @wickett #ruggeddevops

Recommend


More recommend