SlideShare una empresa de Scribd logo

SRE and Security: Natural Force Multipliers

Cory Scott
Cory Scott

Presentation delivered at SRECon Americas 2018.

Ingeniería
1 de 23
SRE Bruno Connelly Security & SRE: Natural Force Multipliers SREcon18 Cory Scott CHIEF INFORMATION SECURITY OFFICER
Why should Security and SRE be so closely aligned?
LinkedIn’s Engineering Hierarchy of Needs Magic Site Up & Secure Technology at Scale Development at Scale Solid APIs & Building Blocks
"the fox knows many things, but the hedgehog knows one big thing." -- Archilochus, Greek Poet
2018
“What’s the state of product development and infrastructure?” ? ? ? ? MICROSERVICE ARCHITECTURE SCALING TO MEET DEMANDS 3RD PARTY ADOPTION EXPLODING DATACENTER TECH ACCESSIBLE FOR EVERYONE FAST RATE OF EVOLUTION PRODUCT VISUALIZED IN AM, DEPLOYED IN PM ! ! ! ! That seems….. great?
“How are we doing on defense?” ? ? ? ? ! ! ! ! COMPLIANCE INITIATIVES? MAGIC BOXES? CUSTOMER ASSURANCE? NETWORK ACCESS CONTROL? ENDPOINT SECURITY PRODUCTS SUCH AS ANTI-VIRUS? BOUNTIES? What!?!
...
Site Reliability Hierarchy of Needs Product Monitoring & Incident Response Post-Mortem & Analysis Testing & Release Procedures Capacity Planning SRE Hierarchy of Needs from Google SRE book
“Changes in production applications are happening at a greater rate than ever before. New product ideas can be visualized in the morning and implemented in code in the afternoon.”
Innovation and Rate Of Change Embrace the Error Budget • Self Healing & Auto Remediation • Reduction of Manual Process Inject Engineering Discipline • Review when architecture changes reach a certain complexity point. “Trust but Verify” • Security to follow SRE “trust but verify” approach towards engineering partners
“Testing in production is the new norm”
Establishing Safe & Reliable Test Environments SRE SECURITY
“Microservice architectures are exploding to meet scalability requirements”
Microservice Architecture SECURITY CHALLENGES ARE SIMILAR TO SRE ● Authentication ● Authorization ● Access Control Logic SRE Challenges Security Challenges ● Latency & Performance Impact ● Cascading Failure Scenarios ● Service Discovery
“Dependencies on third-party code and services can be collected faster than you can inventory them.”
Visibility in Your Third-Party Services
“Data center technologies can all be controlled with a single web application in the hands of a devops intern.”
Production Access & Change Control Configuration as code, leveraging source code control paradigms, are a huge boon to security. Rollback ruthlessly. ● Start with a known-good state ● Asset management and change control discipline ● Ensure visibility ● Validate consistently and constantly
TAKEAWAYS OR GIVEAWAYS (DEPENDING ON YOUR POSITION IN THE AUDIENCE)
Overall Lessons for Security Human-in-the-loop is your last resort, not your first option 2 All security solutions must be scalable and default-on, just like SREs build it 3 Your data pipeline is your security lifeblood 1
Overall Lessons for SRE Remove single points of security failure like you do for availability 1 Assume that an attacker can be anywhere in your system or flow 2 Capture and measure meaningful security telemetry 3

Recomendados

Understand Reliability Engineering, Scope, Use case, Methods, Training
Understand Reliability Engineering, Scope, Use case, Methods, TrainingUnderstand Reliability Engineering, Scope, Use case, Methods, Training
Understand Reliability Engineering, Scope, Use case, Methods, TrainingBryan Len
 
Reliability Tools and Integration Seminar
Reliability Tools and Integration SeminarReliability Tools and Integration Seminar
Reliability Tools and Integration SeminarAccendo Reliability
 
Planning, Architecting, Implementing, and Measuring Automation
Planning, Architecting, Implementing, and Measuring AutomationPlanning, Architecting, Implementing, and Measuring Automation
Planning, Architecting, Implementing, and Measuring AutomationTechWell
 
Reliability Engineering 101 : Tonex Training
Reliability Engineering 101 : Tonex TrainingReliability Engineering 101 : Tonex Training
Reliability Engineering 101 : Tonex TrainingBryan Len
 
Argonne Leadership Computing Facility Floor Manager
Argonne Leadership Computing Facility Floor ManagerArgonne Leadership Computing Facility Floor Manager
Argonne Leadership Computing Facility Floor ManagerKatrina Errant
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 

Recomendados

Understand Reliability Engineering, Scope, Use case, Methods, Training
Understand Reliability Engineering, Scope, Use case, Methods, TrainingUnderstand Reliability Engineering, Scope, Use case, Methods, Training
Understand Reliability Engineering, Scope, Use case, Methods, TrainingBryan Len
 
Reliability Tools and Integration Seminar
Reliability Tools and Integration SeminarReliability Tools and Integration Seminar
Reliability Tools and Integration SeminarAccendo Reliability
 
Planning, Architecting, Implementing, and Measuring Automation
Planning, Architecting, Implementing, and Measuring AutomationPlanning, Architecting, Implementing, and Measuring Automation
Planning, Architecting, Implementing, and Measuring AutomationTechWell
 
Reliability Engineering 101 : Tonex Training
Reliability Engineering 101 : Tonex TrainingReliability Engineering 101 : Tonex Training
Reliability Engineering 101 : Tonex TrainingBryan Len
 
Argonne Leadership Computing Facility Floor Manager
Argonne Leadership Computing Facility Floor ManagerArgonne Leadership Computing Facility Floor Manager
Argonne Leadership Computing Facility Floor ManagerKatrina Errant
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIshrath Sultana
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycleEnov8
 
TUV_12501_2016_SIS
TUV_12501_2016_SISTUV_12501_2016_SIS
TUV_12501_2016_SISMohamed Hussein
 
Starting Involving Security In SDLC Process
Starting Involving Security In SDLC Process Starting Involving Security In SDLC Process
Starting Involving Security In SDLC Process Sandi Ardyansyah
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
Michael Colosimo Resume_Non_Intel_2016
Michael Colosimo Resume_Non_Intel_2016Michael Colosimo Resume_Non_Intel_2016
Michael Colosimo Resume_Non_Intel_2016Michael Colosimo
 
OctaviusWaltonResume
OctaviusWaltonResumeOctaviusWaltonResume
OctaviusWaltonResumeOctavius Walton
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examInfosec
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentIntland Software GmbH
 
Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge WhiteSource
 
Mynd company presentation
Mynd company presentationMynd company presentation
Mynd company presentationDavide Enrico Arnoldi
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
WSFS13E02_TUEV_SUED_Shaker Haj Hussein
WSFS13E02_TUEV_SUED_Shaker Haj HusseinWSFS13E02_TUEV_SUED_Shaker Haj Hussein
WSFS13E02_TUEV_SUED_Shaker Haj HusseinShakir Haj Hussein
 
Software engineering, Secure software engineering training
Software engineering, Secure software engineering trainingSoftware engineering, Secure software engineering training
Software engineering, Secure software engineering trainingBryan Len
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 

Más contenido relacionado

La actualidad más candente

Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIshrath Sultana
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycleEnov8
 
Starting Involving Security In SDLC Process
Starting Involving Security In SDLC Process Starting Involving Security In SDLC Process
Starting Involving Security In SDLC Process Sandi Ardyansyah
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
Michael Colosimo Resume_Non_Intel_2016
Michael Colosimo Resume_Non_Intel_2016Michael Colosimo Resume_Non_Intel_2016
Michael Colosimo Resume_Non_Intel_2016Michael Colosimo
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examInfosec
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentIntland Software GmbH
 
Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge WhiteSource
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
WSFS13E02_TUEV_SUED_Shaker Haj Hussein
WSFS13E02_TUEV_SUED_Shaker Haj HusseinWSFS13E02_TUEV_SUED_Shaker Haj Hussein
WSFS13E02_TUEV_SUED_Shaker Haj HusseinShakir Haj Hussein
 
Software engineering, Secure software engineering training
Software engineering, Secure software engineering trainingSoftware engineering, Secure software engineering training
Software engineering, Secure software engineering trainingBryan Len
 

La actualidad más candente (20)

Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle
 
TUV_12501_2016_SIS
TUV_12501_2016_SISTUV_12501_2016_SIS
TUV_12501_2016_SIS
 
Starting Involving Security In SDLC Process
Starting Involving Security In SDLC Process Starting Involving Security In SDLC Process
Starting Involving Security In SDLC Process
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 
Michael Colosimo Resume_Non_Intel_2016
Michael Colosimo Resume_Non_Intel_2016Michael Colosimo Resume_Non_Intel_2016
Michael Colosimo Resume_Non_Intel_2016
 
OctaviusWaltonResume
OctaviusWaltonResumeOctaviusWaltonResume
OctaviusWaltonResume
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the exam
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development Environment
 
Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge 
 
Mynd company presentation
Mynd company presentationMynd company presentation
Mynd company presentation
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
WSFS13E02_TUEV_SUED_Shaker Haj Hussein
WSFS13E02_TUEV_SUED_Shaker Haj HusseinWSFS13E02_TUEV_SUED_Shaker Haj Hussein
WSFS13E02_TUEV_SUED_Shaker Haj Hussein
 
Software engineering, Secure software engineering training
Software engineering, Secure software engineering trainingSoftware engineering, Secure software engineering training
Software engineering, Secure software engineering training
 

Similar a SRE and Security: Natural Force Multipliers

Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityMarketingArrowECS_CZ
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentȘtefan Popa
 
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)Vince Garr
 
Plataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaPlataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaHamilton Oliveira
 
Introduction to Security in the Cloud - Mark Brooks, Alert Logic
Introduction to Security in the Cloud - Mark Brooks, Alert LogicIntroduction to Security in the Cloud - Mark Brooks, Alert Logic
Introduction to Security in the Cloud - Mark Brooks, Alert LogicAlert Logic
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
Global CCISO Forum 2018 | Tari Schreider "The Fault Lies in the Architecture"
Global CCISO Forum 2018 | Tari Schreider "The Fault Lies in the Architecture"Global CCISO Forum 2018 | Tari Schreider "The Fault Lies in the Architecture"
Global CCISO Forum 2018 | Tari Schreider "The Fault Lies in the Architecture"EC-Council
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsLabSharegroup
 
社会におけるIoTとセキュリティ、匿名化技術: 産業IoTのサイバーセキュリティ技術
社会におけるIoTとセキュリティ、匿名化技術: 産業IoTのサイバーセキュリティ技術社会におけるIoTとセキュリティ、匿名化技術: 産業IoTのサイバーセキュリティ技術
社会におけるIoTとセキュリティ、匿名化技術: 産業IoTのサイバーセキュリティ技術ハイシンク創研 / Laboratory of Hi-Think Corporation
 
[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT SuccessElectric Imp
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftEoin Keary
 
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...Amazon Web Services
 
Alert Logic: Realities of Security in the Cloud
Alert Logic: Realities of Security in the CloudAlert Logic: Realities of Security in the Cloud
Alert Logic: Realities of Security in the CloudAlert Logic
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
 

Similar a SRE and Security: Natural Force Multipliers (20)

Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application development
 
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
 
Plataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaPlataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação Cibernética
 
Introduction to Security in the Cloud - Mark Brooks, Alert Logic
Introduction to Security in the Cloud - Mark Brooks, Alert LogicIntroduction to Security in the Cloud - Mark Brooks, Alert Logic
Introduction to Security in the Cloud - Mark Brooks, Alert Logic
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Global CCISO Forum 2018 | Tari Schreider "The Fault Lies in the Architecture"
Global CCISO Forum 2018 | Tari Schreider "The Fault Lies in the Architecture"Global CCISO Forum 2018 | Tari Schreider "The Fault Lies in the Architecture"
Global CCISO Forum 2018 | Tari Schreider "The Fault Lies in the Architecture"
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
 
社会におけるIoTとセキュリティ、匿名化技術: 産業IoTのサイバーセキュリティ技術
社会におけるIoTとセキュリティ、匿名化技術: 産業IoTのサイバーセキュリティ技術社会におけるIoTとセキュリティ、匿名化技術: 産業IoTのサイバーセキュリティ技術
社会におけるIoTとセキュリティ、匿名化技術: 産業IoTのサイバーセキュリティ技術
 
[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
 
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
 
Alert Logic: Realities of Security in the Cloud
Alert Logic: Realities of Security in the CloudAlert Logic: Realities of Security in the Cloud
Alert Logic: Realities of Security in the Cloud
 
Security engineering
Security engineeringSecurity engineering
Security engineering
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
 

Último

Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 

Último (20)

Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 

SRE and Security: Natural Force Multipliers

  • 1. SRE Bruno Connelly Security & SRE: Natural Force Multipliers SREcon18 Cory Scott CHIEF INFORMATION SECURITY OFFICER
  • 2. Why should Security and SRE be so closely aligned?
  • 3. LinkedIn’s Engineering Hierarchy of Needs Magic Site Up & Secure Technology at Scale Development at Scale Solid APIs & Building Blocks
  • 4. "the fox knows many things, but the hedgehog knows one big thing." -- Archilochus, Greek Poet
  • 5.
  • 7. “What’s the state of product development and infrastructure?” ? ? ? ? MICROSERVICE ARCHITECTURE SCALING TO MEET DEMANDS 3RD PARTY ADOPTION EXPLODING DATACENTER TECH ACCESSIBLE FOR EVERYONE FAST RATE OF EVOLUTION PRODUCT VISUALIZED IN AM, DEPLOYED IN PM ! ! ! ! That seems….. great?
  • 8. “How are we doing on defense?” ? ? ? ? ! ! ! ! COMPLIANCE INITIATIVES? MAGIC BOXES? CUSTOMER ASSURANCE? NETWORK ACCESS CONTROL? ENDPOINT SECURITY PRODUCTS SUCH AS ANTI-VIRUS? BOUNTIES? What!?!
  • 9. ...
  • 10. Site Reliability Hierarchy of Needs Product Monitoring & Incident Response Post-Mortem & Analysis Testing & Release Procedures Capacity Planning SRE Hierarchy of Needs from Google SRE book
  • 11. “Changes in production applications are happening at a greater rate than ever before. New product ideas can be visualized in the morning and implemented in code in the afternoon.”
  • 12. Innovation and Rate Of Change Embrace the Error Budget • Self Healing & Auto Remediation • Reduction of Manual Process Inject Engineering Discipline • Review when architecture changes reach a certain complexity point. “Trust but Verify” • Security to follow SRE “trust but verify” approach towards engineering partners
  • 13. “Testing in production is the new norm”
  • 14. Establishing Safe & Reliable Test Environments SRE SECURITY
  • 15. “Microservice architectures are exploding to meet scalability requirements”
  • 16. Microservice Architecture SECURITY CHALLENGES ARE SIMILAR TO SRE ● Authentication ● Authorization ● Access Control Logic SRE Challenges Security Challenges ● Latency & Performance Impact ● Cascading Failure Scenarios ● Service Discovery
  • 17. “Dependencies on third-party code and services can be collected faster than you can inventory them.”
  • 18. Visibility in Your Third-Party Services
  • 19. “Data center technologies can all be controlled with a single web application in the hands of a devops intern.”
  • 20. Production Access & Change Control Configuration as code, leveraging source code control paradigms, are a huge boon to security. Rollback ruthlessly. ● Start with a known-good state ● Asset management and change control discipline ● Ensure visibility ● Validate consistently and constantly
  • 21. TAKEAWAYS OR GIVEAWAYS (DEPENDING ON YOUR POSITION IN THE AUDIENCE)
  • 22. Overall Lessons for Security Human-in-the-loop is your last resort, not your first option 2 All security solutions must be scalable and default-on, just like SREs build it 3 Your data pipeline is your security lifeblood 1
  • 23. Overall Lessons for SRE Remove single points of security failure like you do for availability 1 Assume that an attacker can be anywhere in your system or flow 2 Capture and measure meaningful security telemetry 3