DevOps continues to be a buzzword in the software development and operations world, but is it really a paradigm shift? It depends on what lens you view it through. Roman Garber, an active software security engineering and software team lead thinks so. Ed Adams, Security Innovation CEO, a 20-year software quality veteran and former mechanical engineer, curmudgeonly disagrees.

1. 1

2. 2
Secure DevOps:
Revolution or Evolution
Ed Adams
eadams@securityinnovation.com
@AppSec
Roman Garber
rgarber@securityinnovation.com

3. 3
About Security Innovation
• For over 15 years, we’ve helped secure software in the toughest places:
• Authors of 18 books on security topics (10 co-authored with Microsoft)
• Over 2 million licensed users of our training solutions (12 awards this year)
• Gartner Magic Quadrant leader

4. 4
Agenda
• DevOps vs. other methodologies
• Problems created/solved by DevOps
• Best practices for resilient software

5. 5
DevOps vs. Other Methodologies

6. 6
Varying Views
“Transform the way security controls are
implemented and ensure they become business
enablers”
“Of Course it’s a fad. DevOps is the cool toy in the midst of Gartners
(in)famous hype cycle. It delivers benefits but not on it’s promise”
“DevOps is hereto stay”
“Unstoppable deployment….. in small chunks of time”“Repeat Warning: There is No Silver Bullet in
DevOps”

7. 7
DevOps vs. DevSecOps
DevOps is a set of practices that automates the processes between software development and IT
operations teams, so they can build, test, and release software faster and more reliably.
Should (eventually) be the same thing

8. 8
The DevOps Promise(s)
• Stop throwing software over the proverbial wall to IT, who’s
expected to deploy and service it (headache free)
• Make quality (including security) everyone’s responsibility
• At every phase
• Cross-skills/functional teams
• Ops using developer techniques, e.g., source control
• Dev considering IT metrics, e.g., performance
• At regular intervals, team reflects on how to be more
effective, then tunes and adjusts its behavior accordingly

9. 9
Security virtually
non-existent
Post deployment
at best
Manual
Waterfall
DevOps concepts
introduced
Widely adopted
Align teams and tools
Quality is everyone’s job
Security extensions added
later
CMM/RUP/Agile
Security-specific changes
for CMM
Last updated 2008
Captures best practices
SSE-CMM
Prescriptive
Training for each role
Security at Each Phase
Prescriptive;
“Too heavy-weight”
Extensions added for Agile
MS SDL
Extension of DevOps
Cross functional skills
Align teams and tools
Security is Everyone’s job
Prescriptive but pliable
“Game changer”
DevSecOps
Software Development – Last Few Decades

10. 10
Microsoft Patterns & Practices:
Security Engineering Cheat sheet (2007)
These techniques and
approach shipped with
VSTS/MSF Agile starting in
2005

11. 11
Q: Revolutionary or Evolutionary?
Evolutionary
• Same concepts existing 20 years ago
• We keep updating/refining the same practices
o Just new words and modernized tools
Revolutionary
• While DevOps builds on agile and iterative development, integrating
tightly and releasing multiple times/day is disruptive
• Manager vs. Practitioner view:
o How am I going to review all these releases?
o Automation helps, but I still have to know a lot
o Very different than “ok lets review what you got model prior”

12. 12
Where are you in terms of Secure DevOps rollout?
• Gathering data
• Starting to Implement
• In optimization mode

13. 13
Problems Solved/Created by DevOps

14. 14
The Business Case for DevOps

15. 15
Misalignment is Real
• 64% of C-suite respondents believe security teams are
involved in technology design and deployment
• 39% at the practitioner/team level believe so
• Highly-evolved organizations
• 24 times more likely to always automate security policy
configurations compared to the least evolved organizations
• As organizations evolve, security policy becomes part of
operations
• Not just an afterthought when an audit looms
• This requires first breaking down boundaries between Dev, Ops,
and Security teams
Source: 2018 State of DevOps Report from Puppet

16. 16

17. Where’s the Disconnect…?
Source: “2018 Application Security Report,” Cybersecurity Insiders

18. 18
Q: Is primary value improving overall security, or getting
software released sooner with minimal risk?
Better quality
• In time this means faster release cycles
• Few defects/re-work; more time on features
Getting Feature out the Door sooner
• You don’t know something works until you try it
• Can’t plan for everything because life is what happens while you are
busy planning
• Business needs to market test features fast, measure success and pivot

19. 19
Problems DevOps Can Create
• Temptation to over-automate
• Too much reliance on tools
• Info/data overload
(why SIEMs were created in the first place)
• DIY tools
• Cheaper/better to write myself
• Build a ballfield, someone has to mow the lawn
• How to properly integrate with existing processes and infrastructure
• Security knowledge dilution
• Promotes wider, general knowledge rather than specialized focus
• Quality is everyone’s job
• …so, it’s always someone else’s job!

20. 20
Best Practices for Resilient Software

21. 21
Q: Is it more about the tools, mindset or methodologies?
Tools, Tools, Tools
• The methodologies are all the same
• The mindset is what is was in 1998 (20 years ago)
• What’s different is the technology and tools to implement the mindset
and culture change
Mindset & Culture Change
• Large corporations have departments of development, business, security
security
• Don’t work well together, throw over the fence
• Everyone needs to work together as one team, no my job-your job
mentality

22. 22
Continuous & Iterative Assessment
• Design Analysis
• Mapping security requirements to code identifies potential automation points
• Securing the Design
• For security and component reuse, identify insecure APIs, and frameworks
• Secure them to enable recycling and minimize new development
• Software Security Code Review
• Review in small chunks, analyzing only newly, re-written or high risk code
• Focus on “hot spots” in code, frameworks and components
• Software Security Assessment
• Leverage scanners for breadth and specialized tools for depth
• Secure Operations
• Look for secure by default deployment stacks
• Ensure resilience against persistent external attacks at all layers

23. 23
Threat
Mitigation
Vulnerability
Attacker
DevOps Security Glue: Threat Modeling
Vulnerabilities are
unmitigated threats
Here’s our opportunity!
• Secure applications start with understanding the threats
• Threats are not vulnerabilities; they live forever and are attack vectors
• If done at each phase, provides more leverage than any other security activity

24. 24
Q: If you are _____, then you have not implemented
or realized the benefits Secure DevOps
MOST Organizations
• Just like ”moving to the cloud” everyone is talking about it, but few are
actually DOING it
• Secure DevOps is nothing more that resilient, quality-conscious
software development
NO Finite moment
• CI/CD means continuous improvement and deployment
• Release fast, release often measure value, keep or throw
• Maintain risks at acceptable level, don’t expose clients data

25. 25
Build Security Champions
• Security team can help, but not sufficiently when dealing with multiple teams and lack of
security culture
• Champions are practitioners that serve as mentors, help determine when to engage the
security team and serve as a single point of contact
• Clearly define their goal and responsibilities, which often include:
• Conduct and/or verify security reviews in the team
• Guard and promote best practices.
• Raise issues for risks in existing and new code
• Build threat models for new features
• Investigate bug bounty reports
• Participate in R&D activities
• They should be the most knowledgeable and passionate about software security, and
understand how engineering activities feed off each other

26. 26
The Microsoft SDL: Reduction in Vulnerabilities
119
66
400
242
157
Windows® XP Windows
Vista®
OS I OS II OS III
Total Vulnerabilities Disclosed 12
Months After Release
34
3
187
SQL Server® 2000 SQL Server 2005 Competing commercial DB
Total Vulnerabilities Disclosed 36
Months After Release
Before SDL After SDL
45% reduction in Vulnerabilities
Before SDL After SDL
91% reduction in Vulnerabilities
Consistent use of sound security practices, regardless of which ones,
during all phases of development will reduce risk and facilitate compliance

27. 27
Q: DevOpsSec, SecDevOps, DevSecOps?
Who Cares What You Call It?
• Just do it right 
• Same premise: get aligned, share nomenclature & tooling, etc.
• Remove the “Sec” and just think quality
The Same, But Different
• You can knit-pick with no value
• Ultimately doesn’t matter as long as risks are under control

28. 28
Summary
• Software security is not just a developer problem
• Each phase of development is an opportunity to introduce or mitigate risk
• Secure DevOps can solve some plaguing issues:
• Lack of cross-functional knowledge between build and deployed state
• Security slowing down ability to get features out the door
• Success of DevOps (or any other methodology) relies on 3 key principles
• Automate what can be done faster than humans
• Conduct manual inspections to find problems that elude tools; especially with high risk
features/applications
• Balance tools, knowledge, and process – each feeds into one another

29. 29
Polling Question
• What do you think? Is DevOps Evolution or Revolution?

30. 30
Maintaining DevOps Security Skills
• Experts predict a shortage of 3.5 million cybersecurity professionals for 2021*
• It’s hard to build a strong DevOps outfit without expertise to support it
• Organizations need to innovate their approach to grooming security personnel
• If everyone needs to be responsible for security, then everyone needs to
understand how applications are attacked
*https://www.csoonline.com/article/3200024/security/cybersecurity-labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.html

31. 31
CMD+CTRL: Application Security Cyber Range
Remote
Access
Detailed
Reports
Remediation
eLearning
available
Seven
Authentic App
Sites
Real time
scoring
Scalable to
hundreds in
minutes
CMD+CTRL

32. 32
• Start by finding vulnerabilities
• Really powerful, eye-opening activity
• Most exciting part of security (the “hack”)
• You can’t create resilient code until you know how it fails
• Augment existing test cases with proven new ones
• Learn how design and IT configurations can be circumvented
• Understanding failures helps humans prevent them:
• This is why we have practices and pre-season games in sports
• Assess real-world preparedness so you can take the right action
• Drives home the need for standards, policies, and requirements
• Provides value added feedback to co-workers
Cyber Range: The “A-ha” Moment

33. 33
Application Security Computer-Based Training
• 150+ courses for software development and deployment
• 40 Learning paths by role, platform, technology
DevOps Learning Path
• Fundamentals of Secure Development
• Fundamentals of Secure Architecture
• Securing Network Access
• Securing Operating System Access
• Securing Cloud Instances
• Application & Technical Access Controls
• Essential Security Engineering Principle
• Essential Application Protection
• Essential Data Protection
• Fundamentals of Threat Modeling
• Fundamentals of Security Testing

34. 34
Hacking the Holidays
• From December 21st – January 4th, we
are giving limited-time free access to our
CMD+CTRL Cyber Range.
• If you are interested in participating,
please email us at
getsecure@securityinnovation.com and
we will send you an invitation.

35. 35
Questions?