That was the main take away for me from today’s talks by SANS instructor Eric Johnson.
He was in the country running a workshop and talk at AISA conference in Melbourne and SANS contacted me if I was interested in having him doing a private talk to the team. I was elated and invited everyone in engineering, operations and security to attend the event.
Eric spoke about DevSecOps and cloud automation and did a Q&A session where we asked him about some of the challenges we are currently facing.
We spoke about the challenges with static analysis tool, container security scanning tools and threat modeling. He spoke about how threat modeling is hard in DevSecOps when we are making multiple code commits daily and the approach he recommends is a lightweight rapid risk assessment to quickly determine whether something should be in the fast track or slow track, whether it is on the paved road vs the off road. He mentioned the Mozilla’s approach with using 4 questions for the rapid risk assessment
- Are you making changes to the attack surface? (i.e new entry points)
- Are you changing the application stack or application security controls?
- Are you adding confidential/sensitive data?
- Have threat agents changed? Are we facing new risk?
He also recommended a couple of good books including
- The Phoenix project
- 5 dysfunctions of a team
- Lean enterprise
- Building a DevOps culture
It was a great talk with lots of learnings and takeaways.