Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Continuous security improvements in the DevOps process

669 views

Published on

Talk held on Dec 4th at the Security Interest Group Switzerland SIGS DevSecOps Forum in Bern, Switzerland

Published in: Software
  • Be the first to comment

Continuous security improvements in the DevOps process

  1. 1. VSHN - The DevOps Company Continuous Security improvement in the DevOps process Aarno Aukia, CTO @ VSHN - The DevOps Company
  2. 2. VSHN - The DevOps Company ● About Aarno & VSHN.ch ● From Ops to DevOps ● DevOps/DevSecOps/SecOps? ● Automating Operations to include security ○ Build ○ Test ○ Deployment ○ Ops 22 Agenda
  3. 3. VSHN - The DevOps Company @aarnoaukia http://about.me/aarno aarno.aukia@vshn.ch ETH → Google → Atrila → VSHN VSHN - The DevOps Company Since 2014, currently 30 VSHNeers in Zürich, Switzerland We help developers run web applications 24/7 in any cloud making both visitors happy with stability and developers happy with agility 33 About Aarno & VSHN.ch
  4. 4. VSHN - The DevOps Company 4 OPS = Firefighting-as-a-Service ? 4
  5. 5. VSHN - The DevOps Company DevOps: People, Processes & Tools 55
  6. 6. VSHN - The DevOps Company Memberships 77
  7. 7. VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 88 Areas of security improvement
  8. 8. VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 99 Areas of security improvement
  9. 9. VSHN - The DevOps Company DevSecOps principles 1010
  10. 10. VSHN - The DevOps Company ● static code analysis automatically for each commit ● Dependency Management ● (base) container image scanning 1111 Build
  11. 11. VSHN - The DevOps Company Code analysis: sonarqube 1212
  12. 12. VSHN - The DevOps Company 1313 Dependency updates: https://dependabot.com
  13. 13. VSHN - The DevOps Company Container scanning: aquasec 1414
  14. 14. VSHN - The DevOps Company ● smoke tests ● test envs “à discretion” 1515 Test
  15. 15. VSHN - The DevOps Company ● atomic container deployment ● every deployment (and rollback) is a “normal deployment” ● deployment automation removes need for (all) devs root prod access and/or waiting for ops to deploy new dev version 1616 Deployment
  16. 16. VSHN - The DevOps Company ● standardization on (minimal, hardened) OS and container orchestrator ● immutable (application) infrastructure using containers ● process/storage/network separation of applications/environments ● detect/prevent configuration drift between dev/test/stage/prod envs ● documentation & automatic backup of all volumes ● documentation & monitoring of routes/loadbalancers/ingresspoints with enforcing SSL/TLS ● AAI for admin & application ● key & secrets management ● audit logging of control & application planes 1717 Ops
  17. 17. VSHN - The DevOps Company Container isolation 1818 ● Kernel namespacing (process & network) ● Control groups (resource quota to prevent DoS) ● SELinux (additional syscall filter) ● prevent running as root inside container, no user-provided privileged containers (enforce best practice) ● readonly container filesystem (harder to persist exploit at runtime)
  18. 18. VSHN - The DevOps Company AAI: Keycloak 1919 ● Identity & Access Management ● Single sign in/out ● Identity brokering: ○ OpenID Connect (OAuth2, FB/Twitter/Github etc.) ○ SAML2.0 ○ Kerberos ● User federation: LDAP, AD, etc ● 2FA: TOTP/HOTP ● Managing the Authorization groups
  19. 19. VSHN - The DevOps Company Logs: ELK/EFK/Greylog 2020 ● Logging all access and changes through the control plane ● Logging all access to the application and correlate with application logs ● Index, view, filter, aggregate KPI → monitoring ● Store outside of application scope
  20. 20. VSHN - The DevOps Company ● Prometheus ○ time series database ○ open source / CNCF-project ○ well-integrated in docker/kubernetes stats ● NewRelic APM ○ application-level profiling ○ performance tracking ○ exception tracking (backend & frontend) ○ available as SaaS 2121 Metrics: Prometheus / NewRelic
  21. 21. VSHN - The DevOps Company Kubernetes Distribution Architecture 2222
  22. 22. VSHN - The DevOps Company ● OpenShift, Kubernetes, Docker ● Logging: EFK ● Metrics: Prometheus ● SSL-Certificates: letsencrypt.org ● Source-to-image builder, Dockerfile builder, Docker-Image-Registry: OpenShift ● Load-balancing, horizontal (auto) scaling, rolling deployments: Kubernetes ● MySQL/MariaDB, PostgreSQL, Redis, Solr, Elasticsearch, RabbitMQ, MongoDB: either single-container for dev or DBaaS for prod ● 24/7 Support and SLA, cloud or on-premises 2323 Auxiliary Services we use at APPUiO.ch
  23. 23. VSHN - The DevOps Company 2424 APPUiO.ch in 14 countries & on-premises
  24. 24. VSHN - The DevOps Company ● Please do get in touch with feedback ● Twitter: @aarnoaukia ● Linkedin: https://www.linkedin.com/in/aukia/ ● Email: aarno.aukia@vshn.ch 2525 Thank you
  25. 25. Come visit us for a coffee! VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - info@vshn.ch https://vshn.ch/kontakt/ Follow us on Twitter! @vshn_ch 26
  26. 26. VSHN - The DevOps Company The CNCF Landscape 2727
  27. 27. VSHN - The DevOps Company Next Event February 21, 2019 from 6.30pm https://www.meetup.com/Cloud-Native-Computing-Switzerland Please volunteer for Sponsoring & Talks https://cnc-meetup.ch 2828 Cloud Native Computing

×