"The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications", Christoph Hartmann
0 likes61 views
The document discusses the collaboration between platform and security engineering to enhance application security in light of increasing vulnerabilities and automation among hackers. It highlights challenges in vulnerability management, reporting inefficiencies, and resource allocation between shipping new features and addressing security fixes. The solution proposed involves integrating security into the development process through unified tooling, open-source solutions, and continuous improvement practices.
"The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications", Christoph Hartmann
- 1. Platform and Security Engineering join forces to build more secure and robust applications. The death of #security as we know it Christoph Hartmann @chri_hartmann
- 2. Hi, I am Chris. I am CTO at Mondoo - leader in Security Posture Management What is your background? Y I co-created the open source security projects DevSec Project and InSpec, Co-Founded Vulcano Security (acquired by Chef Software) and was Director of Engineering at Chef Software @chri_hartmann
- 4. 4 Hackers used to look like this
- 5. 5 Ransomware is a business Name Name Words words Sales Quotas Playbooks Customer Support Affiliate Programs
- 6. 6 Average of 20% increase of YoY CVE publication
- 7. Vulnerability Discovery 0⃣ 0-Day Exploit 💥 Vulnerability discovered 📢 CVE published 🏗 Patch by vendor 📝 CVE assigned 0⃣ Exploit ~25% of CVEs have known exploits 14% exploits published before the patches 23% exploits published in the first week after CVE 50% exploits were published in the first month after CVE
- 8. Patch Rollout 🎟 Tickets created 🐌 Rollout Slow 🏗 Fixed in dev 🔎 Identify in dev 🛑 Report created According to NTT Application Security average time to fix high severity vulnerabilities is about 246 days
- 9. 9 🔥 Yearly increase of 20% of known vulnerabilities 🏎 Hackers use full automation to discover and hack targets, about 90% of exploits are available within the first month after the CVE has been published 🐌 Rollout of fixes is way too slow Issues outpace the fix
- 10. 10 Independent survey of 1100 IT and security professionals
- 11. 11 Hardening of Infrastructure (Cloud, Servers, Workstation) Patch Management 01 02 Main Problems: Why Hackers are so successful? The same root causes are also corroborated in the Cyber Signals Report by Microsoft that revealed 80% of attacks can be attributed to outdated software and misconfiguration.
- 12. Why is it so difficult? @chri_hartmann
- 13. 13 Software delivery Local Development Source Control CI/CD Pre-Production Production
- 14. 14 Use Case: Ensure that Cloud Storage Buckets have a uniform bucket level access enabled
- 15. 15 Ensure that Cloud Storage Buckets have a uniform bucket level access enabled Security Engineers focus on attack paths
- 16. 16 Ensure that Cloud Storage Buckets have a uniform bucket level access enabled Platform Engineers focus on automation
- 17. 17 Software delivery Local Development Source Control CI/CD Pre-Production Production
- 20. Interviewed and worked with 100+ Sec/DevOps Leaders Theme In their words…... More organized threats Software is eating the world so hackers are having a feast Wait days/weeks to data Coordinating over 30+ security tools to answer if we have the vulnerability and then waiting for verification it’s been fixed Security owns all the tools DevOps don’t have consistent access to what security uses, just their outputs aka a giant spreadsheet Security vendors are slow Their product roadmap is the same every year, so we hacked a solution to dump into Splunk Unclear on the right priority for the business The trade off between shipping new features vs fixing what security wants us to fix. Re-enforces good practices I need my teams to have a way continuous improve our posture and for management to recognize the effort
- 21. Security is Hard
- 23. Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers Unified View Tech Stack
- 24. Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers Application Delivery Pipeline Local Development Source Control CI/CD
- 25. 25 Ensure that Cloud Storage Buckets have a uniform bucket level access enabled Reach the next level: Focus on Problem
- 26. 26 Software delivery Local Development Source Control CI/CD Pre-Production Production
- 27. 27 What are successful security engineers using Access: Every developer and security engineer has access to the same tooling Coverage: security tooling that supports build and runtime Automation: security tooling that works hand-in-hand with automation Extensible: security tooling that has open source foundation, not hard-coded rules 1 2 3 4
- 28. 28 open source security https://cnquery.io Asset Inventory, search and gather information about your infrastructure https://cnspec.io Security Scanner, scan for vulnerabilities and misconfiguration
- 29. 29 Amazon S3 buckets do not allow public read access S3 Buckets are configured with 'Block public access' Easily ask questions with GraphQL-based MQL
- 30. 30 Use Security as Code to define requirements
- 31. 31 Discover Security Content Security Registry mondoo.com/registry Security Policies github.com/mondoohq/cnspec-policies Inventory and Incident Response Query Packs github.com/mondoohq/cnquery-packs
- 32. 32 We can be more secure! Local Development Source Control CI/CD Pre-Production Production
- 33. We built a platform we are using we worked at Soo Choi CEO Dominik Richter CPO Christoph Hartmann CTO Patrick Münch CISO
- 34. Christoph Hartmann 🐦 @chri_hartmann ✉ chris@mondoo.com 🏠 mondoo.com Thank you