@chanjbs
- Главная
- Разное
- Дизайн
- Бизнес и предпринимательство
- Аналитика
- Образование
- Развлечения
- Красота и здоровье
- Финансы
- Государство
- Путешествия
- Спорт
- Недвижимость
- Армия
- Графика
- Культурология
- Еда и кулинария
- Лингвистика
- Английский язык
- Астрономия
- Алгебра
- Биология
- География
- Детские презентации
- Информатика
- История
- Литература
- Маркетинг
- Математика
- Медицина
- Менеджмент
- Музыка
- МХК
- Немецкий язык
- ОБЖ
- Обществознание
- Окружающий мир
- Педагогика
- Русский язык
- Технология
- Физика
- Философия
- Химия
- Шаблоны, картинки для презентаций
- Экология
- Экономика
- Юриспруденция
Splitting the Check on Compliance and Security презентация
Содержание
- 1. Splitting the Check on Compliance and Security
- 2. 2015 for Developers
- 3. 2015 for Auditors and Security Teams
- 4. The Problem
- 5. Developers: Incentives Speed Features Want Freedom to
- 6. The Resolution
- 7. “You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)
- 8. Who Cares About These Answers? When did
- 9. Before Developers and Auditors After
- 10. How Do We Get There?
- 11. Two Approaches to Compliance
- 12. Pillars for Effective, Efficient, and Flexible Compliance
- 13. The Pillars Traceability in development Continuous security visibility Compartmentalization
- 14. Discussion Format
- 15. Traceability in Development
- 16. Common Audit Requirements for Software Development
- 17. Spinnaker for Continuous Deployment Customizable development pipelines
- 18. Spinnaker: Compliance-Relevant Features Integrated access to development
- 19. Spinnaker: App-Centric View & Multistage Pipeline
- 20. Automated Canary Analysis
- 21. Manual Approval (Optional)
- 22. Restricted Deployment Window (Optional)
- 23. Restricted Deployment Window (Optional)
- 24. Deployment Notification (Optional)
- 25. Spinnaker vs. Manual Deployments Deployment is independent
- 26. Control Mapping
- 27. Continuous Security Visibility
- 28. Issues with Application Security Risk Management Spreadsheets
- 30. Penguin Shortbread – Automated Risk Analysis for
- 31. Application Risk Metric
- 32. Application Risk Rollup
- 33. Control Mapping
- 34. Compartmentalization
- 35. Compartmentalization Resilience: Limit blast radius Confidentiality: Need to know
- 36. Monolithic Card Processing in the Data Center
- 37. Microservices and Tokenization in AWS
- 38. Control Mapping
- 39. Wrapping Up! Limit investments in approaches that
- 40. @chanjbs - chan@netflix.com
2015 for Developers
Слайд 1Splitting the Check on Compliance and Security
Jason Chan
Engineering Director –
Cloud Security
@chanjbs
@chanjbs
Слайд 5Developers:
Incentives
Speed
Features
Want
Freedom to innovate
New technology
Incentives and Perspectives
Auditors:
Incentives
Compliance with regulatory obligations
Verifiable processes
Want
Well-known technology
Predictability
and stability
Слайд 8Who Cares About These Answers?
When did that code change?
Who made
the change?
Who logged in to that host?
What did they do?
Who pushed that code?
When was this dependency introduced?
Was that build tested before deployment?
What were the test results?
Who logged in to that host?
What did they do?
Who pushed that code?
When was this dependency introduced?
Was that build tested before deployment?
What were the test results?
?
Слайд 16Common Audit Requirements for
Software Development
Review changes.
Track changes.
Test changes.
Deploy only approved
code.
For all actions:
Who did it?
When?
For all actions:
Who did it?
When?
Слайд 17Spinnaker for Continuous Deployment
Customizable development pipelines (workflows)
Based on team requirements
Single interface
to entire deployment process
Answers who, what, when, and why
For developers and auditors
Answers who, what, when, and why
For developers and auditors
Слайд 18Spinnaker: Compliance-Relevant Features
Integrated access to development artifacts
Pull requests, test results, build
artifacts, etc.
Push authorization
Restricted deployment windows (time, region)
Deployment notifications
Push authorization
Restricted deployment windows (time, region)
Deployment notifications
Слайд 25Spinnaker vs. Manual Deployments
Deployment is independent of languages and other underlying
technology.
Java, Python, Linux, Windows…
Multiple stages of automated testing.
Integration, security, functional, production canary.
Fully traceable pipeline.
Changes and change drivers are fully visible.
All artifacts and test results available.
Java, Python, Linux, Windows…
Multiple stages of automated testing.
Integration, security, functional, production canary.
Fully traceable pipeline.
Changes and change drivers are fully visible.
All artifacts and test results available.
Слайд 28Issues with Application Security Risk Management
Spreadsheets and surveys!
Human driven.
Presuppose managed intake.
One-time
vs. continuous.
Слайд 30Penguin Shortbread – Automated Risk Analysis for Microservice Architectures
Analyze microservice connectivity.
Passively
monitor app and cloud configuration.
Develop risk scoring based on observations.
Develop risk scoring based on observations.
Слайд 39Wrapping Up!
Limit investments in approaches that meet narrow regulatory needs.
Embrace core
security design and operational principles.
Focus on tools and techniques that serve multiple audiences.
Focus on tools and techniques that serve multiple audiences.
