Secure application deployment in Apache CloudStack

436 views

Published on

At the Apache CloudStack Collaboration Conference in Montreal, I presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
436
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
8
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Image: http://morguefile.com/p/209940
  • http://www.istockphoto.com/photo/computer-crime-concept-gm516607038-89059287?st=9174601


    http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

  • http://www.istockphoto.com/photo/person-in-hooded-sweater-using-a-laptop-on-wooden-table-gm464503138-58544934?st=cf78f31

    http://www.istockphoto.com/photo/cloud-computing-gm518556682-90104967
  • http://www.istockphoto.com/photo/strength-in-unity-gm514713440-88219133?st=af7fa36
  • Secure application deployment in Apache CloudStack

    1. 1. Secure application deployment
    2. 2. #whoami – Tim Mackey • Current roles: Senior Technical Evangelist; Occasional coder • Previously XenServer Community Manager • Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system • Find me • Twitter: @TimInTech • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim
    3. 3. Security reality No solution is perfect. Defense in depth matters.
    4. 4. Attacks are big business In 2015, 89% of data breaches had a financial or espionage motive Source: Verizon 2016 Data Breach Report
    5. 5. EASY ACCESS TO SOURCE CODE Open source ubiquity makes it an easy target OPEN SOURCE ISN’T MORE OR LESS SECURE THAN CLOSED SOURCE – ITS JUST EASIER TO ACCESS VULNERABILITIES ARE PUBLICIZED EXPLOITS ARE PUBLISHED
    6. 6. Anatomy of a new attack Potential Attack Iterate Test against platforms Document Don’t forget PR department Deploy
    7. 7. DELIVERED CODE OPEN SOURCE CODE SUPPLY CHAIN CODE LEGACY CODE REUSED CODE/CONTAINERS COMMERCIAL CODE INTERNALLY DEVELOPED CODE OUTSOURCED CODE How open source enters a code base
    8. 8. CLOSED SOURCE COMMERCIAL CODE DEDICATED SECURITY RESEARCHERS ALERTING AND NOTIFICATION INFRASTRUCTURE REGULAR PATCH UPDATES DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE “COMMUNITY”-BASED CODE ANALYSIS MONITOR NEWSFEEDS YOURSELF NO STANDARD PATCHING MECHANISM ULTIMATELY, YOU ARE RESPONSIBLE Who is responsible for code and security?
    9. 9. TRUST BUILD FILES, MANIFESTS, PACKAGE MANAGERS, FILE NAMES EVIDENCE-BASED IDENTIFICATION OF OPEN SOURCE BY SCANNING FILES IN CONTEXT Without evidence, nothing else matters Are packages complete? Determine package context
    10. 10. 0 500 1000 1500 2000 2500 3000 3500 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd Reference: Black Duck Software Knowledgebase, NVD INCREASING NUMBER OF OSS VULNERABILITIES
    11. 11. Automated tools miss most open source vulnerabilities Static & Dynamic Analysis Only discover common vulnerabilities 3,000+ disclosed in 2014 Less than 1% found by automated tools Undiscovered vulnerabilities are too complex and nuanced All possible security vulnerabilities
    12. 12. What do these all have in common? Heartbleed Shellshock GhostFreak Venom Since: Discovered: 2011 2014 1989 2014 1990’s 2015 2000 2015 2004 2015 Discovered by: Component: OpenSSL Riku, Antti, Matti, Mehta Bash Chazelas OpenSSL Beurdouche GNU C library Qualys researchers QEMU Geffner
    13. 13. Integrating into tools and processes DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING REMEDIATE AND TRACK LICENSE COMPLIANCE AND SECURITY VULNERABILITIES FULL APP SEC VISIBILITY VIA IBM APPSCAN INTEGRATION BUILD / CI SERVER SCAN APPLICATIONS WITH EACH BUILD VIA CI INTEGRATION DELIVERY PIPELINE SCAN APPLICATIONS AND CONTAINERS BEFORE DELIVERY CONTINUOUS MONITORING OF VULNERABILITIES
    14. 14. Misaligned security investment
    15. 15. A solution should include these components Choose Open Source Proactively choose secure, supported open source SELECT Inventory Open Source Map Existing Vulnerabilities Maintain accurate list of open source components throughout the SDL Identify vulns during development VERIFY Track New Vulnerabilities Alert new vulns in production apps MONITORREMEDIATE Fix Vulnerabilities Tell developers how to remediate
    16. 16. We need your help Knowledge is power • Know what’s running and why • Define proactive vulnerability response process • Don’t let technology hype cycle dictate security Invest in defense in depth models • Don’t rely on perimeter security to do heavy lifting • Do look at hypervisor & container trends in security • Make developers and ops teams part of the solution • Do embed security into deployment process Together we can build a more secure data center

    ×