Security in a world of Cloud, DevOps, DevSecOps and Chaos Engineering presented at DevSecConBoston 2018

by Ashish Rajan,

Summary : The talk has two points of focus – a simple framework that helps create security guidelines for and secondly, scaling the framework using DevSecOps. The talk will have a demo of one of the services that I created to scale the framework.The prospect of the cloud is extremely attractive to many enterprises. Cloud and services offered on cloud aka SaaS products have become so popular that many CIOs, CTOs have given the directive “SaaS first” – “Cloud second”. This movement has been gaining momentum at a staggering rate with little regard for cost or security. This puts the security teams in a pickle as security needs to keep up the pace at which cloud provider releases products, which is adopted at the same rate by the product implementation team in their race to ship faster.The common misconception of cloud, devsecops or is that it will be steep learning curve and we have to get a consultant to help out with the . Sure, there is a learning curve which all of us need to understand to do threat model of the landscape e.g shared responsibility model in cloud and CI/CD pipeline but not as steep as it is marketed.With Cloud – there are things around what is our responsibility versus the cloud providers responsibility to protect. With DevSecOps – we need to monitor who owns the data, who is pressing “Go/Deploy” button for a deployment? With Chaos – we need to look vary of the test coverage. This is an endless list if you add the complexity of the product being released.It can be complicated and each one of the above topics is a talk in itself.As a security professional with endless projects flowing through the pipeline for review, we need a framework that makes sense and makes security faster too, keeping pace with our DevOps colleagues.Over the past year I have tackled a few challenges in order to scale security frameworks across organisations and these challenges lead me to DevSecOps for answers. I will talk through the challenges of making security implementation at the same pace of devops and how I navigated them. The tears of trial and triumph. Don’t forget to bring some tissues to the talk