SlideShare a Scribd company logo

Embracing DevSecOps: A Changing Security Landscape for the US Government

Download as PPTX, PDF
D
DJ Schleen

As part of this change, all contractors and government software developers will need to think critically and not only ask themselves “does the code have vulnerabilities,” but “could it have vulnerabilities,” and “how do we know either way?” Learn how with the right tools, and embedded security across the entire development process, you can stay ahead of adversary leaving the software supply chain secure so mindshare can be left for other critical national security issues.

Government & Nonprofit
1 of 42
DJ Schleen Embracing DevSecOps A Changing Security Landscape for the US Government @djschleen
2 devsecops
3 not just for hipsters
reduce risk @djschleen 4
culture
Photos courtesy of Pixabay and Pexels. the three ways
7 AUTOMATE Automate security toolsets by integrating them into your SDLC in an unobtrusive and transparent way. DISSEMINATE Collect information from your toolsets, aggregate them into actionable KPI’s, and deliver them to the appropriate stakeholders. INVESTIGATE Establish baselines that define normal operating behavior and investigate abnormalities that appear EFFICIENCY @djschleen
WHHHHHHYYYYY?
100:1 9 DEVELOPERS OUTNUMBER SECURITY
The faster a team can deploy to production, the quicker an organization can remediate critical vulnerabilities and zero days 10 Cycle Time: Weeks - Months Cycle Time: Minutes - Hours 10 – 20 Releases Your imagination is the limit... Plan Deploy Operate Agile DevSecOps … Design Build Test Deploy Operate Design Build TestDesign Build Test Plan Design Build Test Deploy Operate Design Build Test Deploy Operate Observation @dschleen Increased Flow can reduce the risk of outdated software stagnating in production When change is normal and expected, fire-drills become a thing of the past Learn Learn LearnLearn AGILE ISN’T AGILE ENOUGH
Large Scale Exploit March 10 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Probe Crisis Management 11 @dschleen TIMELINE OF AN ATTACK
@djschleen
March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 8,780 continue to download vulnerable versions of Struts 57% of the Fortune 100 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR EQUIFAX WAS NOT ALONE April 13 India Post December ’17 Monero Cryptomining 13
AVERAGE DAYS BEFORE VULNERABILITY IS EXPLOITED
risk @djschleen 15
85%-97% 16 CODE YOUR DEVELOPERS DON’T BUILD
@dschleen NIST SPECIAL PUBLICATION 800-161
@dschleen NIST SPECIAL PUBLICATION 800-161
@dschleen SAY HELLO TO YOUR SOFTWARE SUPPLY CHAIN
NOT ALL PARTS ARE CREATED EQUAL @devstefop s
AUTOMATION ACCELERATES OSS DOWNLOADS
1,096 new projects per day 10,000 new versions per day 14x releases per year • 3M npm components • 2M Java components • 900K NuGet components • 870K PyPI components
@djschleen
24 DEFECT PERCENTAGES FOR JAVASCRIPT @djschleen
85% to 97% of modern apps consist of assembled components. 25
80% to 90% of modern operations consist of assembled containers. 26 Containers Hand-built applications and infrastructure
PULLS FROM DOCKER HUB @djschleen
time
233 days MeanTTR 119 days MedianTTR 122,802 components with known vulnerabilities 19,445 15.8% fixed the vulnerability TIME TO REPAIR OSS COMPONENTS @djschleen
0 days MeanTTR CVE ID: CVE-2017-5638 March 7 Apache fixed the vulnerability March 7 APACHE STRUTS2 MEAN TIME TO REPAIR @djschleen
170,000 Java component downloads annually 3,500 unique 18,870 11.1% with known vulnerabilities 7,500 ORGANIZATIONS ANALYZED @djschleen
threats are real
@djschleen
A Shifting Battlefront of Attacks: Hackers Inject Malicious Code into Supply Chains March 2016 - August 2018 left-pad: Popular npm packages were removed from the repository, breaking thousands of websites and revealing how changes can immediately propagate to the real world. 1 npm credentials used by publishers of 79,000 packages were published online or easily compromised by dictionary attacks. 2 PyPI typosquat: The Slovak National Security Office (NBU) found 10 malicious PyPI packages. Evidence of the fake packages being downloaded and incorporated into software multiple times was noted between Jun '17 and Sept '17. 5 npm credentials: A core contributor to the conventional-changelog ecosystem had their npm credentials compromised and a malicious version of the package was published. Package was installed 28,000 times in 35 hours and executed a Monero crypto miner. 7 Backdoored npm: The npm security team responded to reports of a package that masqueraded as a cookie parsing library but contained a malicious backdoor. Published in March ’18 to introduce unauthorized publishing of mailparser; despite being deprecated, mailparser still received about 64,000 weekly downloads. 9 homebrew breach: Eric Holmes, an operations engineer at Remind, gained commit access to homebrew in under 30 minutes through an exposed GitHub API token. While he had no malicious intent, he gained access to components that are downloaded 500,000 times per month. 11 Mar 2016 July 2017 Sep 2017 Jan 2018 Feb 2018 May 2018 Aug 2018 Malicious npm: Gilbertson writes a fictional tale of creating a malicious npm packages to harvest credit card numbers from hundreds of websites. 6 3 npm typosquat: 40 intentionally malicious packages harvested credentials used to publish to the npm repository itself. 4 docker123321 images were created on Docker Hub. In Jan'18, it was accused of poisoning a Kubernetes honeypot, then in May’18 it was equated to a crypto mining botnet. 8go-bindata: after a developer deleted their GitHub account, someone immediately grabbed the ID — inheriting the karma instilled in that id, calling into question what packages and sources are canonical and immutable. 10 Backdoored PyPI: SSH Decorator (ssh-decorate), a library for handling SSH connections from Python code, was backdoored to enable stealing of private SSH credentials. 34 @djschleen
Laurie Voss, npm and the furture of JavaScript, 2018-10-10 NPM AUDIT STATS
9 years later, vulnerable versions of Bouncy Castle were downloaded… 11M CVE-2007-6721 CVSS Base Score: 10.0 HIGH Exploitability Subscore: 10.0 23M 2007 2016 BOUNCY CASTLE
Photo courtesy of Pixabay @djschleen do not boil
REDUCE DOWNSTREAM DEFECTS @djschleen
@dschleen PROTECT YOUR SOFTWARE SUPPLY CHAIN
THE REWARDS ARE IMPRESSIVE 90% improvement in time to deploy 34,000 hours saved in 90 days 48% increase in application quality @djschleen
Image by DJ Schleen inevitable @djschleen
Embracing DevSecOps: A Changing Security Landscape for the US Government

Recommended

How Components Increase Speed and Risk
How Components Increase Speed and RiskHow Components Increase Speed and Risk
How Components Increase Speed and RiskCA Technologies
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
Velocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overloadVelocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overloadsarahjwells
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS LaneJames Wickett
 
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...Codemotion
 
Codemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts OverloadCodemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts Overloadsarahjwells
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOpsUchit Vyas ☁
 

Recommended

How Components Increase Speed and Risk
How Components Increase Speed and RiskHow Components Increase Speed and Risk
How Components Increase Speed and RiskCA Technologies
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
Velocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overloadVelocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overloadsarahjwells
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS LaneJames Wickett
 
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...Codemotion
 
Codemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts OverloadCodemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts Overloadsarahjwells
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOpsUchit Vyas ☁
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Evolving DevOps in the Age of Cloud Native
Evolving DevOps in the Age of Cloud NativeEvolving DevOps in the Age of Cloud Native
Evolving DevOps in the Age of Cloud NativeVMware Tanzu
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos EngineeringSIGHUP
 
Serverless Swift for Mobile Developers
Serverless Swift for Mobile DevelopersServerless Swift for Mobile Developers
Serverless Swift for Mobile DevelopersAll Things Open
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon
 
5681 Sample
5681 Sample5681 Sample
5681 SampleB.Rick Roder
 
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...Sven Krasser
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpJames Wickett
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research
 
Kubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to ProductionKubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to ProductionRosemary Wang
 
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.ioCompleting the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.ioCA Technologies
 
Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Splunk Live in RTP - March-2014-Jeff-Bollinger-CiscoSplunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Splunk Live in RTP - March-2014-Jeff-Bollinger-CiscoJeff Bollinger
 
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...DevOps.com
 
Applying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessApplying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessYan Cui
 
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPLA Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPLMario-Leander Reimer
 
The present and future of serverless observability
The present and future of serverless observabilityThe present and future of serverless observability
The present and future of serverless observabilityYan Cui
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Top Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookTop Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookXebiaLabs
 

More Related Content

What's hot

Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Evolving DevOps in the Age of Cloud Native
Evolving DevOps in the Age of Cloud NativeEvolving DevOps in the Age of Cloud Native
Evolving DevOps in the Age of Cloud NativeVMware Tanzu
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos EngineeringSIGHUP
 
Serverless Swift for Mobile Developers
Serverless Swift for Mobile DevelopersServerless Swift for Mobile Developers
Serverless Swift for Mobile DevelopersAll Things Open
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon
 
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...Sven Krasser
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpJames Wickett
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research
 
Kubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to ProductionKubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to ProductionRosemary Wang
 
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.ioCompleting the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.ioCA Technologies
 
Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Splunk Live in RTP - March-2014-Jeff-Bollinger-CiscoSplunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Splunk Live in RTP - March-2014-Jeff-Bollinger-CiscoJeff Bollinger
 
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...DevOps.com
 
Applying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessApplying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessYan Cui
 
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPLA Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPLMario-Leander Reimer
 
The present and future of serverless observability
The present and future of serverless observabilityThe present and future of serverless observability
The present and future of serverless observabilityYan Cui
 

What's hot (20)

Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Evolving DevOps in the Age of Cloud Native
Evolving DevOps in the Age of Cloud NativeEvolving DevOps in the Age of Cloud Native
Evolving DevOps in the Age of Cloud Native
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
Serverless Swift for Mobile Developers
Serverless Swift for Mobile DevelopersServerless Swift for Mobile Developers
Serverless Swift for Mobile Developers
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
 
5681 Sample
5681 Sample5681 Sample
5681 Sample
 
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
 
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOpThe Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...
 
Kubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to ProductionKubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to Production
 
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.ioCompleting the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
 
Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Splunk Live in RTP - March-2014-Jeff-Bollinger-CiscoSplunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
 
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...Tackling the Container Iceberg: How to Approach Security When Most of Your So...
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
 
Applying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessApplying principles of chaos engineering to Serverless
Applying principles of chaos engineering to Serverless
 
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPLA Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
 
The present and future of serverless observability
The present and future of serverless observabilityThe present and future of serverless observability
The present and future of serverless observability
 

Similar to Embracing DevSecOps: A Changing Security Landscape for the US Government

Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Top Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookTop Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookXebiaLabs
 
2019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-22019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-2Cameron Townshend
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was ReleasedGene Kim
 
Nadog dev secops_survey
Nadog dev secops_surveyNadog dev secops_survey
Nadog dev secops_surveyCurtis Yanko
 
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical StepsDevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical StepsCA Technologies
 
Open Source, Open Governance and Your Developers
Open Source, Open Governance and Your DevelopersOpen Source, Open Governance and Your Developers
Open Source, Open Governance and Your DevelopersDev_Events
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...DevOps Indonesia
 
DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos Perforce
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)Gene Kim
 
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...Serena Software
 
DevOps and the Death & Rebirth of Childhood Innocence
DevOps and the Death & Rebirth of Childhood InnocenceDevOps and the Death & Rebirth of Childhood Innocence
DevOps and the Death & Rebirth of Childhood InnocenceRobert Douglass
 
My Top Five DevOps Learnings
My Top Five DevOps LearningsMy Top Five DevOps Learnings
My Top Five DevOps LearningsPredix
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Cloud-Native Fundamentals: Accelerating Development with Continuous Integration
Cloud-Native Fundamentals: Accelerating Development with Continuous IntegrationCloud-Native Fundamentals: Accelerating Development with Continuous Integration
Cloud-Native Fundamentals: Accelerating Development with Continuous IntegrationVMware Tanzu
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
The Unicorn Project and the Five Ideals.pdf
The Unicorn Project and the Five Ideals.pdfThe Unicorn Project and the Five Ideals.pdf
The Unicorn Project and the Five Ideals.pdfVMware Tanzu
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018John Willis
 

Similar to Embracing DevSecOps: A Changing Security Landscape for the US Government (20)

Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Top Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookTop Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps Handbook
 
2019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-22019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-2
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released
 
Nadog dev secops_survey
Nadog dev secops_surveyNadog dev secops_survey
Nadog dev secops_survey
 
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical StepsDevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
 
Open Source, Open Governance and Your Developers
Open Source, Open Governance and Your DevelopersOpen Source, Open Governance and Your Developers
Open Source, Open Governance and Your Developers
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
 
DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos 
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)
 
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
 
DevOps and the Death & Rebirth of Childhood Innocence
DevOps and the Death & Rebirth of Childhood InnocenceDevOps and the Death & Rebirth of Childhood Innocence
DevOps and the Death & Rebirth of Childhood Innocence
 
My Top Five DevOps Learnings
My Top Five DevOps LearningsMy Top Five DevOps Learnings
My Top Five DevOps Learnings
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Cloud-Native Fundamentals: Accelerating Development with Continuous Integration
Cloud-Native Fundamentals: Accelerating Development with Continuous IntegrationCloud-Native Fundamentals: Accelerating Development with Continuous Integration
Cloud-Native Fundamentals: Accelerating Development with Continuous Integration
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
The Unicorn Project and the Five Ideals.pdf
The Unicorn Project and the Five Ideals.pdfThe Unicorn Project and the Five Ideals.pdf
The Unicorn Project and the Five Ideals.pdf
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018
 

More from DJ Schleen

Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
 
Why happier developers create more secure code
Why happier developers create more secure codeWhy happier developers create more secure code
Why happier developers create more secure codeDJ Schleen
 
Blue is the new green
Blue is the new greenBlue is the new green
Blue is the new greenDJ Schleen
 
CVS Health Automating Security with DevSecOps
CVS Health Automating Security with DevSecOpsCVS Health Automating Security with DevSecOps
CVS Health Automating Security with DevSecOpsDJ Schleen
 
Don't Fear the Four Horsemen of the DevSecOpalypse
Don't Fear the Four Horsemen of the DevSecOpalypseDon't Fear the Four Horsemen of the DevSecOpalypse
Don't Fear the Four Horsemen of the DevSecOpalypseDJ Schleen
 

More from DJ Schleen (6)

Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 
Why happier developers create more secure code
Why happier developers create more secure codeWhy happier developers create more secure code
Why happier developers create more secure code
 
Blue is the new green
Blue is the new greenBlue is the new green
Blue is the new green
 
CVS Health Automating Security with DevSecOps
CVS Health Automating Security with DevSecOpsCVS Health Automating Security with DevSecOps
CVS Health Automating Security with DevSecOps
 
Don't Fear the Four Horsemen of the DevSecOpalypse
Don't Fear the Four Horsemen of the DevSecOpalypseDon't Fear the Four Horsemen of the DevSecOpalypse
Don't Fear the Four Horsemen of the DevSecOpalypse
 

Recently uploaded

Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...
Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...
Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...narwatsonia7
 
2024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 262024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 26JSchaus & Associates
 
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdf
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdfMonastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdf
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdfCharlynTorres1
 
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Service
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls ServiceCall Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Service
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Servicenarwatsonia7
 
LEAVE RULES of telangana state government employeespdf
LEAVE RULES of telangana state government employeespdfLEAVE RULES of telangana state government employeespdf
LEAVE RULES of telangana state government employeespdfchanduneela
 
WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.Christina Parmionova
 
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...“Exploring the world: One page turn at a time.” World Book and Copyright Day ...
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...Christina Parmionova
 
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...ResolutionFoundation
 
13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.ppt13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.pptsilvialandin2
 
Start Donating your Old Clothes to Poor People kurnool
Start Donating your Old Clothes to Poor People kurnoolStart Donating your Old Clothes to Poor People kurnool
Start Donating your Old Clothes to Poor People kurnoolSERUDS INDIA
 
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...narwatsonia7
 
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalore
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service BangaloreCall Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalore
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalorenarwatsonia7
 
Call Girls In Le Meridien hotel New Delhi 9873777170
Call Girls In Le Meridien hotel New Delhi 9873777170Call Girls In Le Meridien hotel New Delhi 9873777170
Call Girls In Le Meridien hotel New Delhi 9873777170avaniranaescorts
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...yalehistoricalreview
 
Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...ResolutionFoundation
 
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...saminamagar
 
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...narwatsonia7
 
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...saminamagar
 

Recently uploaded (20)

Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...
Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...
Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...
 
2024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 262024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 26
 
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdf
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdfMonastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdf
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdf
 
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Service
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls ServiceCall Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Service
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Service
 
LEAVE RULES of telangana state government employeespdf
LEAVE RULES of telangana state government employeespdfLEAVE RULES of telangana state government employeespdf
LEAVE RULES of telangana state government employeespdf
 
WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.
 
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...“Exploring the world: One page turn at a time.” World Book and Copyright Day ...
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...
 
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
 
13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.ppt13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.ppt
 
Start Donating your Old Clothes to Poor People kurnool
Start Donating your Old Clothes to Poor People kurnoolStart Donating your Old Clothes to Poor People kurnool
Start Donating your Old Clothes to Poor People kurnool
 
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...
 
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalore
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service BangaloreCall Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalore
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalore
 
Call Girls In Le Meridien hotel New Delhi 9873777170
Call Girls In Le Meridien hotel New Delhi 9873777170Call Girls In Le Meridien hotel New Delhi 9873777170
Call Girls In Le Meridien hotel New Delhi 9873777170
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
 
Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...
 
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
 
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
 
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
 
The Federal Budget and Health Care Policy
The Federal Budget and Health Care PolicyThe Federal Budget and Health Care Policy
The Federal Budget and Health Care Policy
 

Embracing DevSecOps: A Changing Security Landscape for the US Government

  • 1. DJ Schleen Embracing DevSecOps A Changing Security Landscape for the US Government @djschleen
  • 3. 3 not just for hipsters
  • 6. Photos courtesy of Pixabay and Pexels. the three ways
  • 7. 7 AUTOMATE Automate security toolsets by integrating them into your SDLC in an unobtrusive and transparent way. DISSEMINATE Collect information from your toolsets, aggregate them into actionable KPI’s, and deliver them to the appropriate stakeholders. INVESTIGATE Establish baselines that define normal operating behavior and investigate abnormalities that appear EFFICIENCY @djschleen
  • 10. The faster a team can deploy to production, the quicker an organization can remediate critical vulnerabilities and zero days 10 Cycle Time: Weeks - Months Cycle Time: Minutes - Hours 10 – 20 Releases Your imagination is the limit... Plan Deploy Operate Agile DevSecOps … Design Build Test Deploy Operate Design Build TestDesign Build Test Plan Design Build Test Deploy Operate Design Build Test Deploy Operate Observation @dschleen Increased Flow can reduce the risk of outdated software stagnating in production When change is normal and expected, fire-drills become a thing of the past Learn Learn LearnLearn AGILE ISN’T AGILE ENOUGH
  • 11. Large Scale Exploit March 10 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Probe Crisis Management 11 @dschleen TIMELINE OF AN ATTACK
  • 13. March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 8,780 continue to download vulnerable versions of Struts 57% of the Fortune 100 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR EQUIFAX WAS NOT ALONE April 13 India Post December ’17 Monero Cryptomining 13
  • 14. AVERAGE DAYS BEFORE VULNERABILITY IS EXPLOITED
  • 19. @dschleen SAY HELLO TO YOUR SOFTWARE SUPPLY CHAIN
  • 20. NOT ALL PARTS ARE CREATED EQUAL @devstefop s
  • 22. 1,096 new projects per day 10,000 new versions per day 14x releases per year • 3M npm components • 2M Java components • 900K NuGet components • 870K PyPI components
  • 24. 24 DEFECT PERCENTAGES FOR JAVASCRIPT @djschleen
  • 25. 85% to 97% of modern apps consist of assembled components. 25
  • 26. 80% to 90% of modern operations consist of assembled containers. 26 Containers Hand-built applications and infrastructure
  • 27. PULLS FROM DOCKER HUB @djschleen
  • 28. time
  • 29. 233 days MeanTTR 119 days MedianTTR 122,802 components with known vulnerabilities 19,445 15.8% fixed the vulnerability TIME TO REPAIR OSS COMPONENTS @djschleen
  • 30. 0 days MeanTTR CVE ID: CVE-2017-5638 March 7 Apache fixed the vulnerability March 7 APACHE STRUTS2 MEAN TIME TO REPAIR @djschleen
  • 31. 170,000 Java component downloads annually 3,500 unique 18,870 11.1% with known vulnerabilities 7,500 ORGANIZATIONS ANALYZED @djschleen
  • 34. A Shifting Battlefront of Attacks: Hackers Inject Malicious Code into Supply Chains March 2016 - August 2018 left-pad: Popular npm packages were removed from the repository, breaking thousands of websites and revealing how changes can immediately propagate to the real world. 1 npm credentials used by publishers of 79,000 packages were published online or easily compromised by dictionary attacks. 2 PyPI typosquat: The Slovak National Security Office (NBU) found 10 malicious PyPI packages. Evidence of the fake packages being downloaded and incorporated into software multiple times was noted between Jun '17 and Sept '17. 5 npm credentials: A core contributor to the conventional-changelog ecosystem had their npm credentials compromised and a malicious version of the package was published. Package was installed 28,000 times in 35 hours and executed a Monero crypto miner. 7 Backdoored npm: The npm security team responded to reports of a package that masqueraded as a cookie parsing library but contained a malicious backdoor. Published in March ’18 to introduce unauthorized publishing of mailparser; despite being deprecated, mailparser still received about 64,000 weekly downloads. 9 homebrew breach: Eric Holmes, an operations engineer at Remind, gained commit access to homebrew in under 30 minutes through an exposed GitHub API token. While he had no malicious intent, he gained access to components that are downloaded 500,000 times per month. 11 Mar 2016 July 2017 Sep 2017 Jan 2018 Feb 2018 May 2018 Aug 2018 Malicious npm: Gilbertson writes a fictional tale of creating a malicious npm packages to harvest credit card numbers from hundreds of websites. 6 3 npm typosquat: 40 intentionally malicious packages harvested credentials used to publish to the npm repository itself. 4 docker123321 images were created on Docker Hub. In Jan'18, it was accused of poisoning a Kubernetes honeypot, then in May’18 it was equated to a crypto mining botnet. 8go-bindata: after a developer deleted their GitHub account, someone immediately grabbed the ID — inheriting the karma instilled in that id, calling into question what packages and sources are canonical and immutable. 10 Backdoored PyPI: SSH Decorator (ssh-decorate), a library for handling SSH connections from Python code, was backdoored to enable stealing of private SSH credentials. 34 @djschleen
  • 35. Laurie Voss, npm and the furture of JavaScript, 2018-10-10 NPM AUDIT STATS
  • 36. 9 years later, vulnerable versions of Bouncy Castle were downloaded… 11M CVE-2007-6721 CVSS Base Score: 10.0 HIGH Exploitability Subscore: 10.0 23M 2007 2016 BOUNCY CASTLE
  • 37. Photo courtesy of Pixabay @djschleen do not boil
  • 40. THE REWARDS ARE IMPRESSIVE 90% improvement in time to deploy 34,000 hours saved in 90 days 48% increase in application quality @djschleen
  • 41. Image by DJ Schleen inevitable @djschleen