Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecOps: Bringing security to the DevOps pipeline

183 views

Published on

How to continuously improve security in software development and software operations by proactive collaboration, robust processes and readily available tooling to make sure the "paved path" (the path of least resistance) for developers is the correct/secure/supported path.

Talk held at the Security Chat on Mar 25th 2019 in Zürich, Switzerland

Published in: Software
  • Be the first to comment

  • Be the first to like this

DevSecOps: Bringing security to the DevOps pipeline

  1. 1. VSHN - The DevOps Company Continuous Security improvement in the DevOps process Aarno Aukia, CTO @ VSHN - The DevOps Company
  2. 2. VSHN - The DevOps Company ● About Aarno & VSHN.ch ● From Ops to DevOps ● DevOps/DevSecOps/SecOps? ● Automating Operations to include security ○ Build ○ Test ○ Deployment ○ Ops ● IT Governance benefits 22 Agenda
  3. 3. VSHN - The DevOps Company @aarnoaukia http://about.me/aarno aarno.aukia@vshn.ch ETH → Google → Atrila → VSHN VSHN - The DevOps Company Since 2014, currently 35 VSHNeers in Zürich, Switzerland Helping Developers run applications on any infrastructure making both visitors happy with stability and developers happy with agility 33 About Aarno & VSHN.ch
  4. 4. VSHN - The DevOps Company 4 OPS = Firefighting-as-a-Service ? 4
  5. 5. VSHN - The DevOps Company Capability Maturity Model Integration (CMMI) 55 Operations 2014 How to get to this level?
  6. 6. VSHN - The DevOps Company DevOps: CMMI Level 5: People, Processes & Tools 66
  7. 7. VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 77 Areas of security improvement
  8. 8. VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 88 Areas of security improvement
  9. 9. VSHN - The DevOps Company DevSecOps principles 99
  10. 10. VSHN - The DevOps Company ● static code analysis automatically for each commit ● Dependency Management ● (base) container image scanning 1010 Build
  11. 11. VSHN - The DevOps Company Code analysis: sonarqube 1111
  12. 12. VSHN - The DevOps Company 1212 Dependency updates: https://dependabot.com
  13. 13. VSHN - The DevOps Company Container scanning: aquasec 1313
  14. 14. VSHN - The DevOps Company ● smoke tests ● test envs “à discretion” 1414 Test
  15. 15. VSHN - The DevOps Company ● atomic container deployment ● every deployment (and rollback) is a “normal deployment” ● deployment automation removes need for (all) devs root prod access and/or waiting for ops to deploy new dev version 1515 Deployment
  16. 16. VSHN - The DevOps Company ● standardization on (minimal, hardened) OS and container orchestrator ● immutable (application) infrastructure using containers ● process/storage/network separation of applications/environments ● detect/prevent configuration drift between dev/test/stage/prod envs ● documentation & automatic backup of all volumes ● documentation & monitoring of routes/loadbalancers/ingresspoints with enforcing SSL/TLS ● AAI for admin & application ● key & secrets management ● audit logging of control & application planes 1616 Ops
  17. 17. VSHN - The DevOps Company Container isolation 1717 ● Kernel namespacing (process & network) ● Control groups (resource quota to prevent DoS) ● SELinux (additional syscall filter) ● prevent running as root inside container, no user-provided privileged containers (enforce best practice) ● readonly container filesystem (harder to persist exploit at runtime)
  18. 18. VSHN - The DevOps Company AAI: Keycloak 1818 ● Identity & Access Management ● Single sign in/out ● Identity brokering: ○ OpenID Connect (OAuth2, FB/Twitter/Github etc.) ○ SAML2.0 ○ Kerberos ● User federation: LDAP, AD, etc ● 2FA: TOTP/HOTP ● Managing the Authorization groups
  19. 19. VSHN - The DevOps Company Logs: ELK/EFK/Greylog 1919 ● Logging all access and changes through the control plane ● Logging all access to the application and correlate with application logs ● Index, view, filter, aggregate KPI → monitoring ● Store outside of application scope
  20. 20. VSHN - The DevOps Company ● Prometheus ○ time series database ○ open source / CNCF-project ○ well-integrated in docker/kubernetes stats ● NewRelic APM ○ application-level profiling ○ performance tracking ○ exception tracking (backend & frontend) ○ available as SaaS 2020 Metrics: Prometheus / NewRelic
  21. 21. VSHN - The DevOps Company ● “Full Stack Audit” ● Review design document ● Every layer was custom built ○ physical hardware ○ handcrafted servers ○ manual application deployment ● Review each layer ● Review each layer again next year... 2121 Traditional IT governance
  22. 22. VSHN - The DevOps Company ● Standardized components ○ already audited, some even externally certified ○ re-used, economies of scale, CMMI level 5 ○ tech controls (AAI, RBAC, logs/SIEM) implemented once ○ financial controls implemented once ● Infrastructure: private/public cloud ● Ops: Container orchestration platform ● Review design document & platform configuration 2222 Cloud native IT governance
  23. 23. VSHN - The DevOps Company Docker Kubernetes 2323 Layers of abstraction Hardware Operating System Service discovery & Load balancing Application Server Application Cloud/Onprem
  24. 24. VSHN - The DevOps Company ● Red Hat OpenShift ● Rancher RKE ● Canonical ● Docker Datacenter Enterprise ● IBM cloud private ● EKS, AKS, GKE ● APPUiO.ch See also https://thenewstack.io/find-perfect-kubernetes-distribution/ 2424 Kubernetes Distributions
  25. 25. VSHN - The DevOps Company ● Free & open standard ● Adopted by all major vendors (Google, AWS, MS, Redhat, Suse, IBM, etc) ● available as managed service both on-premises and (private) cloud based ● Provides integration in infrastructure (compute, storage, networking) ● Provides optional integration in plattform (e.g. DBaaS, S3) services ● Infrastructure as code, automation, tools for DevOps processes ● Large ecosystem of auxiliary tooling & integration available ● Is being adopted as standard runtime by ISVs (Avaloq, Finnova, Abacus, Adcubum, Ergon, etc) 2525 Benefits of Kubernetes as abstraction
  26. 26. VSHN - The DevOps Company ● prevent configuration drift ○ immutable (application) infrastructure using containers ○ deploy dev/test/stage/prod envs from CI/CD ● prevent manual errors ○ validate configuration in CI/CD before deployment ○ standardization on (minimal, hardened) OS and container orchestrator ○ deployment automation removes need for (most) root prod access ● security by default ○ image scanning, dependency vulnerability management ○ process/storage/network separation of applications/environments ○ volumes & ingresspoints best practice (documentation, monitoring, backup, SSL/TLS/WAF) ○ AAI for admin & application, audit trail logging of CI/CD, control & application planes ○ key & secrets management ● 2626 IT governance controls in container platforms
  27. 27. VSHN - The DevOps Company ● Please do get in touch with feedback ● Twitter: @aarnoaukia ● Linkedin: https://www.linkedin.com/in/aukia/ ● Email: aarno.aukia@vshn.ch 2727 Thank you
  28. 28. VSHN - The DevOps Company The CNCF Landscape 2828
  29. 29. VSHN - The DevOps Company Next Event May 9, 2019 from 6.00pm https://www.meetup.com/Cloud-Native-Computing-Switzerland Please volunteer for Sponsoring & Talks https://cnc-meetup.ch 2929 Cloud Native Computing
  30. 30. Come visit us for a coffee! VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - info@vshn.ch https://vshn.ch/kontakt/ Follow us on Twitter! @vshn_ch 30

×