Skip to content

Instantly share code, notes, and snippets.

@swagitda

swagitda/exec-summary-controlled-chaos-bhusa19.md

Created November 18, 2019 15:56
Show Gist options
  • Save swagitda/57872189bd172243bf4e688423582128 to your computer and use it in GitHub Desktop.
Save swagitda/57872189bd172243bf4e688423582128 to your computer and use it in GitHub Desktop.
Download ZIP
Executive Summary of Controlled Chaos: the Inevitable Marriage of DevOps & Security (from BlackHat USA 2019)
Raw
exec-summary-controlled-chaos-bhusa19.md

Executive Summary of Controlled Chaos: the Inevitable Marriage of DevOps & Security, presented by Kelly Shortridge & Dr. Nicole Forsgren at BlackHat USA 2019

Key Takeaways

  1. The way tech is done in organizations is radically shifting, as is the face of organizations themselves in the “software is eating the world” paradigm. Dev is king as driver of the business, and anyone standing in its way – including security – will be marginalized
  2. It is indeed possible for infosec to work hand in hand with dev, to embrace DevOps and shift with it rather than against it – because DevOps and security’s priorities are not truly that disparate with the rise of chaos and resilience engineering
  3. Security can plan for this future, adopting the D.I.E. model and chaos security engineering, and should be excited that defense will get a healthy dose of innovation for a change :)

Core Concepts

  • DevOps reflects the unification of responsibility and accountability; security likewise must go through a similar shift, in which the people responsible for building systems must become accountable for security issues that arise in them
  • Security's goal outcomes should not diverge from the goal outcomes held by DevOps; security should support the ability of an organization to safely innovate in response to change, not add friction to the process
  • The chaos & resilience engineering philosophy of "things will fail" can be naturally extended to include "things will be pwned" or "things will be hacked"; embracing this philosophy can lead to a reduction in remediation costs, disruption to end users, and stress levels during incidents
  • D.I.E. model: distributed, immutable, and ephemeral infrastructure offers inherent security benefits that are often overlooked, supporting the goal of building-in security by design; therefore, adopting modern infrastructure can actually beget stronger security
  • Chaos security engineering is repeated experimentation to test resilience and an organization's ability to respond to security incidents; adding chaos security into your testing suites can improve confidence in your systems by uncovering systemic weaknesses
  • To create "scalable love" between security and DevOps, security must sit in as early in the design phase as possible and serve as an SME throughout the software delivery lifecycle (vs. a gatekeeper pre-release)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment