Welcome to the Black Lives Matter Edition of Book Club, where we will talk about a couple of books that Tanya read recently, and what she thinks about them. The previous article in this series was about Communication and Metrics.
All of the books listed are available in audiobook; my preferred reading format.
We are covering this topic for several reasons, but the one that makes it relevant to this membership is that when Tanya, the founder of this company, used her social media accounts to share her support for those fighting oppression and system violence and racism in America (using the #BlackLivesMatter hashtag), all online sales at shehackspurple.dev …
The Second Way of DevOps is fast feedback. In security, when we see this we should all be thinking the same thing: Pushing Left. We want to start security at the beginning of the system development life cycle (SDLC) and ensure we are there (providing feedback) the whole way through!
Fast feedback loops means getting important information to the right people, quickly and regularly. …
The previous article in this series is here. If you are lost reading this article, read the whole series from the start. :-D This is a long post, sit tight!
The first “Way” of DevOps is emphasizing the efficiency of the entire system. Many of us tend to focus only on our part of a giant system, and get bogged down improving only our own contributions to the larger process. It’s rare that we stand back, look at the entire thing, and realize that if we helped another team or if changed something small within our part, that it could improve other areas for the better. The first way of DevOps is about looking at the entire system, and making sure the entire thing is as efficient as possible. …
The previous article in this series is here.
In this post we will explore The 3 Ways of DevOps. But first, a definition.
DevSecOps is Application Security, adjusted for a DevOps environment.
DevSecOps is the security activities that application security professionals perform, in order to ensure the systems created by DevOps practices are secure. It’s the same thing we (AppSec professionals) have always done, with a new twist. Thanks Imran!
Refresher on The Three Ways:
Let’s dig in, shall we? …
There are many definitions of DevOps, too many, some might say. Some people say it’s “People, Processes, and Products”, and that sounds great, but I don’t know what I’m supposed to do with that. When I did waterfall I also had people, processes, and products, and that was not great. I thought DevOps was supposed to be a huge improvement?
I’ve heard other people say that it’s paying one person to do two jobs (Dev and Ops), which can’t be right… Can it? I’ve also been told once by a CEO that their product was “made out of DevOps”, as though it was a substance. I decided not to work there, but that’s another story. …
In a recent ‘Ask Me Anything’ Tanya covers ‘Where can we learn Threat Modelling?’. The linked video is approximately 2 minutes.
In a recent ‘Ask Me Anything’ live stream, Tanya Janca of We Hack Purple discusses ‘DevSecOps versus Secure SDLC’. This video is approximately 2.5 minutes.
-Threat modelling during design
-Adding security requirements & review during requirements gathering
-Reviewing your design for security flaws and to ensure secure deign concepts are applied
Application Security is every action you take towards ensuring the software that you (or someone else) create is secure.
This can mean a formal secure code review, hiring someone to come in and perform a penetration test, or updating your framework because you heard it has a serious security flaw. It doesn’t need to be extremely formal, it just needs to have the goal of ensuring your systems are more secure.
Now that we know AppSec is, why is it important?
For starters, insecure software is (unfortunately), the #1 cause of data breaches (according to the Verizon Breach Reports, 2016, 2017, 2018 and 2019). This is not a list that anyone wants to be #1 on. According to the reports, insecure software causes 30–40% of breaches, year after year, yet 30–40% of the security budget is certainly not being spent on AppSec. …
This is the first in a many-part blog series on the topic of DevSecOps. Throughout the series we will discuss weaving security through DevOps in effective and efficient ways. We will also discuss the ideas that security is everybody’s job, it is everyone’s duty to perform their jobs in the most secure way they know how, and that it is the security team’s responsibility to enable everyone else in their organization to get their jobs done, securely. We will define DevOps, ‘The Three Ways’, AppSec and DevSecOps. …
In a recent ‘Ask Me Anything; Application Security’ live stream, Tanya Janca discusses ‘What would you tell University Students about Application Security?’ This video is approximately 9 minutes.