DevSecOps Blueprint: from Vulnerability Management and Security-by-Design to Pipeline Integrity

DOWNLOAD

DevSecOps Blueprint: from Vulnerability Management and Security-by-Design to Pipeline Integrity

DOWNLOAD

The WORST practices in DevSecOps - Tanya Janca

Tanya Janca shares with us what are some of the worst common practices in DevSecOps that she frequently sees and how to avoid them.

Video Transcript

the talk was called the devsecop's worst practices and you said that you get 15 so maybe we don't have time to talk about 15 of them but are there a couple that that keep coming up after the many years and nearly 400 companies you talked about that that come up frequently what are the worst devsecops practices so the first one is breaking builds with false positives it's like I'm sure you see why that's a problem but a lot of companies the the vendor tells them the sales person tells them oh yeah just like plug it in and and it just will magically make all your abstract dreams come true it'll be perfect and then they're they're breaking builds because they're like well Netflix does it I'm like is the name of your company Netflix no okay so your company's not Netflix so then you don't have to do what they do and they're amazing and like I've had lots of Amazing Friends that work there and they're cool we're not as cool as Netflix I don't know how to tell you that but we're just not so we need to be more realistic and it's okay not everyone can be Netflix of all the company companies I know only one is Netflix and so um like kind of like and basically like we break trust every time we do that another thing is they just throw the tools in and they don't test them first so even if they're not breaking any builds like they throw in this tool and it's been like six hours and it's still running and they've done no testing so they don't know why or they've written the stack analysis tool and they didn't test it on a couple apps they just tested it on the one tiny piece of code and then they're testing against all the apps and it's like oh you're reported 4 000 things or oh it's you know it's tomorrow it's still running and this might sound really obvious but I see it all the time or test results that are saved into the security tool and then you have to remote desktop into another server then you need a special password and username then you go in and you can see those and you can't copy and paste or export them no dev's gonna fix that bug they don't have time for that they have work to do put your bugs with all the other bugs and then it could be part of the the work that they do but if you keep it a secret they're not going to fix and like any or almost as many like very very little and again I see this over and over again when that people asked about it a lot after the talk was so I call it um unreasonable service level agreements but I started doing a thing and I didn't realize everyone wasn't doing it so I've had a lot of people comment on this one so this this might sound nuts when I explain it and it might sound really obvious but I see it everywhere where they decide our service level agreement is there will be no criticals or highs or mediums going into prod anymore and we're going to break the build if it goes if it's one of those and then people who support Legacy apps can't go to prod like at all because they have 300 criticals that are technical debt and so here they are let's say they fix 10 and the abstract person's like no you can't go to prop because you have all these criticals so these 10 fixes stay not in production because it could be a more secure app and so I I just configured the tools have two slas like one for this is the stuff from the first scan we ever did this is our Legacy and we will chip away at this slowly over time but the new stuff no new big vulnerabilities are going into prod and then all of a sudden we're passing built right I'm still gonna hassle you about your technical debt I'm still going to be a pain in your butt because that's part of being an abstract job you go and you bother them like hey so there's still 300 I thought we were gonna go for 290 this month instead what are we gonna do about this right but I see apps like person after abstract person just breaking the build so either the Legacy people are never going to prod or they don't and so one of my friends actually she resigned so I used to work somewhere and then she started working there after me to replace me after I did a contract there and she said basically after a year she did this search of all of her pull requests and almost like less than half were merged and she said I found tons of pull requests from you and they're all critical and high vulnerability fixes and she said there are over a hundred that no one had merged because of their one service level agreement and the other abstract person kept fighting her and she's like that's it I quit I just I can't do this I can't fix hundreds of bugs and have you not submit them because it needs to be perfect we're not perfect buddy newsflash and she's just like ah um and so we had tea and she told me about it and I gave her a hug because she needed one after that but but it seemed so obvious right when I explained it like that but there's tons of abstract people who I call the old GERD where they're like we're not letting any critical vulnerabilities into prod like they're already there you're not letting a new one in oh come on when you explain things it seems obvious but I think but like but so I think someone coming from the outside would be like yeah of course we'd block all the critical vulnerabilities but that that different mindset that you have to come in with to say no actually we need to look at this a bit differently and move together because we're already starting off on a poor footing yes yes and if you can automate it all the better so uh I don't know if you're familiar with the concept of hug Ops um in the Drupal Community we we Embrace that a lot because there's a lot that goes wrong in Drupal and you need a hug sometimes it's true oh I should have told her I'm giving you hug-offs that would have been perfect um