"Tools & Techniques from building a DevSecOps culture at Mozilla" For the past decade, security teams at Mozilla have sharpened their tools and improved their techniques to mature the security culture of the organization, and dramatically reduce vulnerabilities and risks. In this talk, Julien shows how Mozilla approaches DevSecOps and shares lessons learned from that journey. Speaker: Julien Vehent, Firefox Operations Security Talk language: English About the Speaker: ********************* Julien Vehent is a French computer security engineer who leads the Firefox Operations Security team at Mozilla. He specializes in web applications security, cloud infrastructure, cryptography and risk management. He is the author of “Security DevOps”, published at Manning in 2018.

1. Building a DevOps
Security Culture
at Mozilla
1
Julien Vehent - Mozilla

2. $ whoami
2
twitter: jvehent
web: https://j.vehent.org
email: julien@vehent.org

3. 3

4. 4

5. 5

6. It didn’t use to be this way
6

7. 7
comfort zone
Oh Hey Let’s do the devsecops thing!

8. 8
Behold The Security Engineer

9. git commit -a . && git push origin master
9

10. or what happens when security guys write ops tools
Sops
10

11. Don’t just build security tools.
Build operational tools
that do things securely.
11

12. 12
Embedded

13. Centralized
Distributed
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A
Sec A
Ops B
Dev B
Sec B
CISO
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A Sec A
Ops B
Dev B
Sec B
CISO
Centralized security orgs are often too
far from devs & ops to be impactful
Distributed security orgs have better
impact but worse strategy & coordination

14. Embedding
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A Sec A
Ops B
Dev B
Sec B
CISO
The hybrid embedded model distributes engineers from a central security org into
dev & ops teams. Managers of those teams have direct influence into the work of
the embedded engineers, but security strategy & coordination is centralized.

15. Embedding works both ways: Security Champions
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A Sec A
Ops B
Dev B
Sec B
CISO
Champions are engineers from dev & ops teams who are treated like security team
members and have direct access to all the resources of the security org.

16. Assumptions lead to vulnerability
16

17. 17
Trust the data

18. Trust
the
tests
18
github.com
/mozilla
/frost

19. Setting the expectations
19

20. 20

21. 21
test:
override:
# build and run an application container
- docker build -t myrepo/myapp
- docker run myrepo/myapp &
# retrieve the ZAP container
- docker pull owasp/zap2docker-weekly
# run the baseline scan against the application
- docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://172.17.0.2:8080/ -m 3 -i
WARN: Web Browser XSS Protection Not Enabled [10016] x 3
https://www.example.com
https://www.example.com/robots.txt
https://www.example.com/sitemap.xml
WARN: X-Content-Type-Options Header Missing [10021] x 1
https://www.example.com
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 4 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 22

22. 22
github.com
/mozilla-services
/websec-check
Security
Checklists

23. 23
Observatory
.Mozilla
.Org
Self
Service
Assessments

24. 24
Clear Expectations
↓
Checklist
↓
Self Assessment
↓
Profit

25. Not having to say “no”
25

26. 26
Ships are safe in harbor.
But that’s not what
ships are for.

27. 27
Rapid
Risk
Assessments
mzl.la/2mkWN37

28. To go beyond the security team
Get the security team closer to your organization
28

29. Thank You!
securing-devops.com