Put open source to work
July 16–17, 2018: Training & Tutorials
July 18–19, 2018: Conference
Portland, OR

Security as a minimum viable product

Josh Bressers (Elastic)
11:50am12:30pm Thursday, July 19, 2018
Software methodologies
 Location: C123/124
Level: Intermediate
Average rating: *****
(5.00, 3 ratings)
Download slides (PDF)

Who is this presentation for?

  • Developers, architects, and anyone interested in security or development

Prerequisite knowledge

  • A basic understanding of development and security concepts

What you'll learn

  • Understand how DevOps and security work together
  • Learn actionable security strategies you can start implementing right away

Description

DevOps represents the natural evolution of software and how we build it. Long gone are the days of spending years trying to build the perfect piece of software. DevOps works because it’s not about building the perfect thing once; it’s about building one little thing and then working on it in quick increments. Why release once a year when you can release once a day?

The way security is thought about in most organizations is very similar to how we used to build software. There is an obsession on perfect when what we really need is to understand what our security minimum viable product (MVP) is. Even once we understand our MVP, mistakes will be made. The ability to move quickly is by far the most valuable quality of good security.

Using the OWASP Top 10 as his guide, Josh Bressers explores some of the most common security mistakes made and explains how they might be avoided with just three basic development concepts that are easily covered by a DevOps process. Josh begins with a discussion of authentication. For a long time the security people warned not to roll your own crypto. Now you shouldn’t roll your own auth. If you simply use an OAuth or SAML provider, you can avoid nearly half the top 10 list. Josh then moves on to data, trust, and operations. He concludes by examining security and DevOps, demonstrating that there’s no such thing as DevSecOps; it’s really just DevOps.

Photo of Josh Bressers

Josh Bressers

Elastic

Josh Bressers is the head of product security at Elastic. Josh has been involved in the security of products and projects, especially open source, for a very long time and has helped build and manage security groups for many open source projects as well as a number of organizations—everything from managing vulnerabilities and the security development lifecycle to DevSecOps, security product management, security strategy, and nearly any other task that falls under the security umbrella. Josh cohosts the Open Source Security Podcast. He is an active member of the Distributed Weaknesses and Filing project, which is in the process of leveraging the power of open source for CVEs.