Security and Compliance Theater The Seventh Deadly Disease John - - PowerPoint PPT Presentation

▶

Apr 18, 2023 108 likes •536 views

Security and Compliance Theater The Seventh Deadly Disease John Willis @botchagalupe botchagalupe@gmail.com https://github.com/botchagalupe/my-presentations You cant Lean, Agile, SAFE, Devops or even SRE your way around a bad

SLIDE 1

Security and Compliance Theater “The Seventh Deadly Disease”

SLIDE 2

John Willis @botchagalupe botchagalupe@gmail.com

SLIDE 3

https://github.com/botchagalupe/my-presentations

SLIDE 4

SLIDE 5

You can’t Lean, Agile, SAFE, Devops or even SRE your way around a bad organizational culture.

SLIDE 6

What We Did

Organizational Anthropology

SLIDE 7

SLIDE 8

SLIDE 9

SLIDE 10

SLIDE 11

SLIDE 12

Conway’s Law

An adage named after computer programmer Melvin Conway, who introduced the idea in 1967. It states that. "organizations which design systems ... are constrained to produce designs which are copies of the communication structures

f these organizations.”

SLIDE 13

SLIDE 14

SLIDE 15

SLIDE 16

SLIDE 17

10 to 20 Pre-Assessment Calls
30 to 50 Assessment Meetings
Interview 150-200 People
Over 400 Pages of Notes
300 Summarized Observations

Organizational Anthropology

SLIDE 18

Two Days With Leadership

SLIDE 19

Common Top Three

Toil
Risk
Inconsistency

SLIDE 20

General Toil

Downstream Dependancies
ITIL Processing Toil
A Lot of Signoff’s
Only High Priority Get Fixed
High Technical Debt
Product and Team Silos

SLIDE 21

General Risk

Permitter Based Risk Models
Subjective Governance Models
Inconsistent Policies for Dev/Test/QA
Low Attestation Efficacy
Configuration Blind Spots

SLIDE 22

General Consistency

Inconsistent Environments
Unclear Roles and Responsibilities
CD Anti-Patterns
Cross Function Chaos

SLIDE 23

The Deadliest Disease!

SLIDE 24

SLIDE 25

Devops (Shift Left Auditors)

Review Boards (ARB, PRB,CAB)
Check Box Compliance
Workarounds and Hidden Work
Auditor Workarounds
Vulnerability Theater
Negative Risk RIO
Policy Theater

SLIDE 26

DevSecOps

Requirements & Design Development CI Interval Trigger Assessment Production

Application Risk Classification Security Requirement Definition Secure Libraries Static Analysis/IDE SCM Open Source Governance(CI) Secure Coding Standards Perimeter Assessment Dynamic Assessments Threat-Based Pen Test Web Application Firewalls Automated Attack/ Bot Defense Container Security Management

Security Mavens (Security-Trained Developers and Operations) Role Based Software Security Training

Continuous Monitoring, Analytics and KPI Gathering Preventative Detective

Container Security Compliance (CI) Threat modeling Static Analysis (CI)

SLIDE 27

DevSecOps Operational Tips

Work with and educate your auditors
Move Subjective Attestation to Objective Attestation
Ruthlessly eliminate false positives to Developers
Explain the vulnerabilities in business impact terms
Devops the vulnerability (JIRA, backlog, Kanban)
Open the code base to everyone in the organization
Educate on how to fix

SLIDE 28

Changing subjective attestation into objective attestation

SLIDE 29

Devops Automated Governance

Attestation of the integrity of

assets in the delivery pipeline

Automated Attestation in CI/

Transform CAB (Change

Advisory Board)

Reduce Effort w/ Compliance

Activities - “Continuous Compliance”

SLIDE 30

SLIDE 31

The Delivery Pipeline

SLIDE 32

Constructing an Attestation

SLIDE 33

Attestation Database

SLIDE 34

Basic Governance Model

SLIDE 35

Source Code Repository Stage

SLIDE 36

Build Stage

SLIDE 37

Dependency Management Stage

SLIDE 38

Package Stage

SLIDE 39

Artifact Stage

SLIDE 40

Prod Stage

SLIDE 41