Securing the DevOps Landscape
Martyn Coupland
DevOps Technical Lead, Virgin Atlantic
Reality of data breaches
0
2
4
6
8
10
12
14
201
0
201
1
201
2
201
3
201
4
201
5
201
6
201
7
201
8
201
9
Records Lost Per Year
0
5
10
15
20
25
30
201
0
201
1
201
2
201
3
201
4
201
5
201
6
201
7
201
8
201
9
Breaches by Sensitivity
Email SSN Credit Card Health Full
Reality of data breaches
Tech
44%
Web
33%
Breaches Per Sector
Academic
App
Energy
Financial
Gaming
Government
Military
Healthcare
Legal
Media
Retail
Tech
Telecoms
Transport
Hacked
62%
Insider
6%
Lost Device
13%
Oops
6%
Poor Security
13%
Breaches by Method
Hacked Insider Lost Device Oops Poor Security Other
Reality of data breaches
0
2
4
6
8
10
12
14
16
18
20
Ha
cke
d
Insi
de
r
Lost
De
vic
e
Oo
ps!
Po
or
Se
cu
rity
Oth
er
Records Lost by Method
What have we learned
• Number of breaches and records lost per year is generally going up
• 62% of breaches are due to hacking
• 6% is due to mistakes
• 6% is due to insider jobs
• Although hacking accounts for nearly ⅔ of breaches, half the number of records are stolen
compared to poor security
• Lost devices account for 13% of breaches but only around 1% of record loss
• Tech firms are most at risk accounting for 44% of breaches and web based breaches next with
33%
• 70% of passwords are in the breaches charted
Summarising the data
Data: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Security comes first…
• Security comes in various forms, think about every angle
• With hacking so prevalent, secure all aspects of your platform, this includes your pipelines
• It should just be DevOps, not DevSecOps, think Security as a Service
• Shift security to the left
Don’t be headline news
Security comes first…
What hinders security innovation?
• Manual processes and culture
• Point in time assessments
• Traditional InfoSec “friction”
• Misunderstanding of context
• Political internal interference
• Fear of failure
• Lack of external thinking
Security is everyone’s responsibility…
The DevOps, Sec ratio
Numbers matter…
100 10 1Hard to
Find
The art of DevSecOps
DevSecOps
Security Engineering
Experiment, Automate,
Test
Security Operations
Hunt, Detect, Contain
Compliance Operations
Respond, Manage, Train
Security Science
Learn, Measure, Forecast
Security is and always has been a design constraint
If you can remember five things, let it be
these…
“Apps and data are as safe as
where you put it, what’s in it, how
you inspect it, who talks to it and
how it’s protected”
It must be built-in to be effective
Authentication
Logging
Asset Management
Zoning & Containment
Encryption
Security as code
• Paper policies do not stand up to constant
cloud evolution and lessons learned
• Translation from paper to code
and back lead to serious mistakes
• Traditional policies do not translate
to full stack deployments
• Lock your doors
• Badge in
• Authorised personnel only
• Background checks
• Choose strong passwords
• Use MFA
• Rotate API credentials
• Cross-account access
EVERYTHING
AS CODE
Clo
ud
Pro
vid
er
Da
ta
Ce
ntr
e
Continuous feedback
Product Team
FEEDBACK
Attack ActivityCustomer FeedbackMonitoringRegressionCI/CDUnit Tests
Security Team
SECURITY TESTING & DATA
Community
INTELLIGENCE
The journey to high fidelity feedback
Researchers
Red Team
Pen Test
Tooling
Threat Intel
IOCs
AI
Logs & Events
Bug Bounty
CorrelationCase
ManagementDeveloper
Backlog
Billions Millions Thousands Hundreds# Events
TB/Day
Workflow and Pipeline Actionable Features/Defects
Fact check
• Teams focusing on testing, detection and measuring progress have 30% fewer defects in
production
• MTTR is 5x faster then other teams
• Average of 98% CI/CD success
Great information, but does it work?
Five foundations
• Don’t measure at a team level, measure globally
Security's goal is to help the business achieve goals, avoid siloed thinking
• Measure outcomes vs outputs
Measuring work is not tied to tangible outcomes
• “Maturity Threshold”
Forget it, prioritise resilience over a notion of maturity
• Don’t miss the forest for the trees
Focusing on components too much can mean missing the bigger picture
• Don’t try to measure failure
Failure is inevitable, incentivizing failure avoidance is unrealistic at best