ISSA-LA InfoSec Summit XI

Spoiler: The Earth is round, and the way we build infrastructure and software has fundamentally changed, rendering some of our beloved approaches ineffective. Shifting left is promoted as "the way to do DevOps security," but it's harder than that. As our software becomes increasingly distributed, modular, and decoupled in design, we need to acknowledge the errors of our ways and adapt. Embracing failure is better than trying to prevent it. We can't test ourselves secure, no matter how many tests we run using whatever method. Gone are the days where endless whiteboarding sessions were frequent. We encourage each other to test in production and to learn by breaking. Moving fast is a business requirement, not a reckless development practice. We can't secure ourselves with a single tool or even with a bunch of them, no matter how good they are or how many fancy next-gen features they have. Our daily workload is analogous to a stream of events from every direction rather than a linear workflow.
This presentation will explore methods and security controls that don't fit into the "all things to the left" approach and will describe how to inject security into other phases without slowing things down. We've shifted concerns between team members as well as delegated many traditional security components to infrastructure and platform as a service solutions. We will propose solutions to leverage the right blend of software-defined security controls, automation, and good old-fashioned human thinking to avoid falling over the edge. We will examine the security practices that need to be done, but don't fit within a shift left security culture and how they can be adapted to meet our evolving needs. At the end of this presentation, you’ll have greater exposure to the opportunities and challenges we have in front of us securing the current generation of software.