Fork me on GitHub
#bof-sec-audit-compliance-grc
<
2020-10-14
>
dgmorales03:10:56

Hi everyone. Where I can find the "canonical" definition of Segregation of Duties? Or the next best thing? Is it within the SOX act text (I didn't find it there)?

dgmorales03:10:34

I am always looking for segregation of duties (SOD) cases on DevOps context

dgmorales03:10:39

Implementations seem to range from "requiring any 2+ people to approve a change" (like any code review) to "require 2 or 3 people from 2 or 3 different roles" (dev and ops and biz)

Curtis Yanko - Sonatype13:10:56

I always interpreted this as, ‘it should take an act of collusion to commit fraud’, or ‘no one person should be able to commit fraud’.

Curtis Yanko - Sonatype13:10:40

Historically implemented as dev can’t deploy with the idea that if only Ops can deploy the code then no dev can sneak stuff in.

Curtis Yanko - Sonatype13:10:13

More recently though folks use the ‘four eyes’ principal (code reviews) to approve code changes which is much more effective.

Paula Thrasher - PagerDuty13:10:36

https://nvd.nist.gov/800-53/Rev4/control/AC-5. Though to be clear, it does not explicitly mandate separate people/roles. But the language walks so close to requiring it that most people implement it that way. (Even though it has more to do with auditing vs building than the deployment process) Agree that 'four eyes' or what I call the "nuclear code" model (two keys required to launch) is a better system.

dgmorales15:10:17

The NIST definition really walks very close to require separate roles. Point (ii) seems the most strong on it. And most definitions/descriptions I've seem from regulations (or interpretations/guides to regulations) do walk that close.

dgmorales15:10:11

Do you have knowledge of any material that specifically discuss the validity of the "four eyes" approach to separation of duties?

dgmorales15:10:56

The Acellerate book show a case like that (four eyes review for SOD), but it does not dive much in "convincing material" for discussing it with auditors/etc.. It always seems a understading that you will have to build with your governance team and auditors. One that won't be easy to build 😄

Paula Thrasher - PagerDuty21:10:04

@dmorales I've never seen someone commit to writing that 'four eyes' is a control - but there is where partnership with your auditor is key. In a past life, we were able to show an auditor that developer could deploy - only through the automated tool - and only after reviews/automated checks - and that the pipeline was immutable (developers could not circumvent it) and the audit log was immutable (developers did not have rights to change it) so it had the effect of meeting the separation of concerns by having different people for development vs audit. Make friends with your auditor, is what I'm saying 😅

☝️ 1
👍 1
dgmorales15:10:08

Btw, does anyone know of an open and permanent forum/community on the Internet focused on devops+compliance/audit/grc ?

dgmorales15:10:26

To keep the discussionn going after events like this 😄

Derek Weeks, Sonatype / All Day DevOps16:10:33

All Day DevOps has a slack community that is open all year. Within that workspace there is a DevSecOps channel.

Derek Weeks, Sonatype / All Day DevOps16:10:00

You can access it at http://alldaydevops.com and click on the Slack logo at the top of the page.

Derek Weeks, Sonatype / All Day DevOps16:10:28

I would also do google searches for other Slack communities as there are many to find out there.

dgmorales16:10:50

Thanks, I'll take a look!

Derek Weeks, Sonatype / All Day DevOps16:10:36

Things we discussed in the first BOF session on Tuesday:

Derek Weeks, Sonatype / All Day DevOps16:10:16

• how to integrate security teams into development? Team meetings, training, tooling, etc.

Derek Weeks, Sonatype / All Day DevOps16:10:45

• how to implement automated ATOs (authority to operate into DevOps environments)

Derek Weeks, Sonatype / All Day DevOps16:10:32

• how to get Compliance and Audit to sign off on an automated set of rules/guardrails that support better and more consistent compliance

Derek Weeks, Sonatype / All Day DevOps16:10:16

• How to best educate developers on the wide variety of compliance requirements in heavily regulated industries

Derek Weeks, Sonatype / All Day DevOps16:10:02

• How can small security/AppSec teams best serve large development organizations? (i.e., we’re outnumbered, help!)

Derek Weeks, Sonatype / All Day DevOps16:10:42

• Who is using DevSecOps scoring, grading, or gamification to influence behaviors

Vaidik Kapoor (Speaker) - Technology Consultant16:10:03

interested in this we are talking about this today

Derek Weeks, Sonatype / All Day DevOps16:10:20

Have any of these questions yourself? Come join this BOF later today.

👀 1
Kevin Miller - Sonatype21:10:40

<!here> Hi everyone!  I’ll be hosting tonight’s Security-Audit-Compliance-GRC session.   Looking forward to talking with you all as this is always an exciting topic: Here’s the Zoom info for BOF session starting at 2:45pm PT / 5:45pm ET: https://sonatype.zoom.us/j/96981266419 Meeting ID: 969 8126 6419 One tap mobile <tel:+16468769923,,96981266419#|+16468769923,,96981266419#> US (New York) <tel:+13017158592,,96981266419#|+13017158592,,96981266419#> US (Germantown)

Kevin Miller - Sonatype22:10:04

Great conversation tonight around: • how to integrate security into DevOps without slowing down the process, or becoming the "bad guys" • GDPR/California/SOX Compliance • Segregation of Duties (SOD) • using containers and pipelines to help ensure compliance Also check out: https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/

Kevin Miller - Sonatype22:10:36

One more session tomorrow afternoon Thursday 10/15 @ 2:45pm PST / 5:45pm EST on all of your security, audit, compliance and DevSecOps questions. Dont miss it!

Deepti Venuturumilli22:10:21

Have a generic question on Risk Management tools -- How is the risk score calculated in the IT risk management tools? What attributes is the risk score based on?

Vaidik Kapoor (Speaker) - Technology Consultant05:10:12

I am guessing that would be subjective. Other than general IT controls, its hard to have a common framework for scoring

1
Myles [Sooner Safer Happier]19:10:09

Agree. In our experience we found Risk scoring not to be that helpful. Instead we created cross functional safety teams who engaged across 1 or more value streams on a continual basis. Instead of a Risk score the team agreed through discussion which quarterly Outcomes needed their attention and what Risk Stories to place in the backlog.

Deepti Venuturumilli19:10:20

That is interesting approach @mylesogilvie

Myles [Sooner Safer Happier]19:10:14

More detail in Sooner Safer Happier (one of the free download books)

Myles [Sooner Safer Happier]19:10:47

we scaled across 15,000 people in a traditional UK bank

Myles [Sooner Safer Happier]19:10:04

..that processes 30% of UK GDP every day.

Rich B - DevOps is my career change23:10:25

sorry I had to drop really wanted to participate in this convo, going through this right now