Secure application deployment in the age of continuous delivery
•Download as PPTX, PDF•
0 likes•371 views
At the Apache CloudStack Collaboration Conference in Montreal, Tim Mackey (Senior Technical Evangelist at Black Duck Software) presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Viewers also liked
Viewers also liked (18)
Similar to Secure application deployment in the age of continuous delivery
Similar to Secure application deployment in the age of continuous delivery (20)
More from Black Duck by Synopsys
More from Black Duck by Synopsys (20)
Recently uploaded
Recently uploaded (20)
Secure application deployment in the age of continuous delivery
- 2. #whoami – Tim Mackey • Current roles: Senior Technical Evangelist; Occasional coder • Previously XenServer Community Manager • Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system • Find me • Twitter: @TimInTech • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim
- 3. Security reality No solution is perfect. Defense in depth matters.
- 4. Attacks are big business In 2015, 89% of data breaches had a financial or espionage motive Source: Verizon 2016 Data Breach Report
- 5. EASY ACCESS TO SOURCE CODE Open source ubiquity makes it an easy target OPEN SOURCE ISN’T MORE OR LESS SECURE THAN CLOSED SOURCE – ITS JUST EASIER TO ACCESS VULNERABILITIES ARE PUBLICIZED EXPLOITS ARE PUBLISHED
- 6. Anatomy of a new attack Potential Attack Iterate Test against platforms Document Don’t forget PR department Deploy
- 7. DELIVERED CODE OPEN SOURCE CODE SUPPLY CHAIN CODE LEGACY CODE REUSED CODE/CONTAINERS COMMERCIAL CODE INTERNALLY DEVELOPED CODE OUTSOURCED CODE How open source enters a code base
- 8. CLOSED SOURCE COMMERCIAL CODE DEDICATED SECURITY RESEARCHERS ALERTING AND NOTIFICATION INFRASTRUCTURE REGULAR PATCH UPDATES DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE “COMMUNITY”-BASED CODE ANALYSIS MONITOR NEWSFEEDS YOURSELF NO STANDARD PATCHING MECHANISM ULTIMATELY, YOU ARE RESPONSIBLE Who is responsible for code and security?
- 9. TRUST BUILD FILES, MANIFESTS, PACKAGE MANAGERS, FILE NAMES EVIDENCE-BASED IDENTIFICATION OF OPEN SOURCE BY SCANNING FILES IN CONTEXT Without evidence, nothing else matters Are packages complete? Determine package context
- 10. 0 500 1000 1500 2000 2500 3000 3500 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd Reference: Black Duck Software Knowledgebase, NVD INCREASING NUMBER OF OSS VULNERABILITIES
- 11. Automated tools miss most open source vulnerabilities Static & Dynamic Analysis Only discover common vulnerabilities 3,000+ disclosed in 2014 Less than 1% found by automated tools Undiscovered vulnerabilities are too complex and nuanced All possible security vulnerabilities
- 12. What do these all have in common? Heartbleed Shellshock GhostFreak Venom Since: Discovered: 2011 2014 1989 2014 1990’s 2015 2000 2015 2004 2015 Discovered by: Component: OpenSSL Riku, Antti, Matti, Mehta Bash Chazelas OpenSSL Beurdouche GNU C library Qualys researchers QEMU Geffner
- 13. Integrating into tools and processes DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING REMEDIATE AND TRACK LICENSE COMPLIANCE AND SECURITY VULNERABILITIES FULL APP SEC VISIBILITY VIA IBM APPSCAN INTEGRATION BUILD / CI SERVER SCAN APPLICATIONS WITH EACH BUILD VIA CI INTEGRATION DELIVERY PIPELINE SCAN APPLICATIONS AND CONTAINERS BEFORE DELIVERY CONTINUOUS MONITORING OF VULNERABILITIES
- 15. A solution should include these components Choose Open Source Proactively choose secure, supported open source SELECT Inventory Open Source Map Existing Vulnerabilities Maintain accurate list of open source components throughout the SDL Identify vulns during development VERIFY Track New Vulnerabilities Alert new vulns in production apps MONITORREMEDIATE Fix Vulnerabilities Tell developers how to remediate
- 16. We need your help Knowledge is power • Know what’s running and why • Define proactive vulnerability response process • Don’t let technology hype cycle dictate security Invest in defense in depth models • Don’t rely on perimeter security to do heavy lifting • Do look at hypervisor & container trends in security • Make developers and ops teams part of the solution • Do embed security into deployment process Together we can build a more secure data center
Editor's Notes
- Image: http://morguefile.com/p/209940
- http://www.istockphoto.com/photo/computer-crime-concept-gm516607038-89059287?st=9174601 http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
- http://www.istockphoto.com/photo/person-in-hooded-sweater-using-a-laptop-on-wooden-table-gm464503138-58544934?st=cf78f31 http://www.istockphoto.com/photo/cloud-computing-gm518556682-90104967
- http://www.istockphoto.com/photo/strength-in-unity-gm514713440-88219133?st=af7fa36