Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
DevSecOps: Taking a DevOps
Approach to Security
Alert Logic & Chef discuss overcoming security challenges in
DevOps
Before We Begin
Housekeeping
• Turn on your system’s sound to
hear the streaming presentation
• Questions? Submit them to ...
Speaker Introduction
James Brown
• Director of Cloud Computing &
Security Architecture
• Alert Logic
Alex Manly
• Solution...
OVERCOMING SECURITY
CHALLENGES
Security Remains #1 Pain Point For Cloud Deployments
Cloud Computing Pain Points
2%
2.5%
2.5%
3.1%
3%
3%
4%
4%
4%
4%
5%
5%...
Shared Security Model
Application Security Technology Challenges
Network Changes Host Identity Auto-Scaling
Why do traditional security tools st...
Security at Odds with DevOps Velocity
Traditional Security/Compliance is Slow
• Bolted on at the end
• Manual processes
• ...
InfoSec Ends Up Being Marginalized
“The problem for the security person who is used to turning
around security reviews in ...
Alert Logic Survey Findings
Good communications
between Development
and Operations Teams
Poor communication
between DevOps...
High velocity IT
• Web scale IT
• Software is eating the world
• The Rise of Coded business
• Every business is an IT
busi...
Infrastructure on demand
• Cheap
• Secure
• Elastically Scalable
• Self Service
DevOps
Configuration Management
Continuous Delivery
Architecture
Compliance Drag
If you think compliance is expensive,
try non-compliance
Former US Deputy Attorney General, Paul McNulty
• Many hats **
• Not just Dev, not just Ops.
• Security is not and has never
been, it’s just a check box.
• Security as Co...
The changing role of the compliance officer
2015 Compliance Report - Verizon
VULNERABILITY
MANAGEMENT
Vulnerability Management
Vulnerability management is key to maintaining a secure system.
Most IT environments use a mix of...
Manage Vulnerabilities with Base Images + CI
Manage Vulnerabilities
• Conduct normal vulnerability scanning
• Identify Vul...
Adopt Phoenix upgrade strategy
Embrace Phoenix Upgrades
• Stand up new instances, don’t upgrade
• Route traffic between ol...
Real World Case – Patching Shellshock
SECURING THE PLATFORM
Securing the platform
Aside from ensuring that an application and server is fully patched, it
is key to start from a posit...
Prevent Attacks with Immutable Systems
Build secure base images that are
representative of your infrastructure
system base...
• This example will identify any code that tries to mount disk
volumes. If code is identified, it will be audited and then...
Example – Infrastructure Testing
Tests Chef
cookbooks using
cloud instances and
virtual machines
Lets you create a
realist...
CONTINUOUS MONITORING
Chef Analytics Provides Visibility in Three Ways
• Record changes to
Chef Server or any
Chef Nodes
• Tracks changes
from a...
Example
• PCI 2.3 - Encrypt all non-console administrative access such as
browser/Web-based management tools.
rules ’PCI 2.3 – Con...
• SOX Section 302.4.B – Establish verifiable controls to track data
access.
rules 'force key based auth'
rule on run_contr...
How Cloud Defender Works
A L E R T L O G I C C L O U D D E F E N D E R
Identify
Attacks
& Protect
Customers
Big Data
Analy...
Alert Logic Cloud Defender
Threat Manager: Network Intrusion Detection
• Detects suspicious activities across your network...
Questions and Resources
Resources
All available under the
“Attachments” tab of the webinar:
• DevOps: The Security Gap
• K...
Get Connected
www.alertlogic.com
www.chef.io
@alertlogic
@chef
linkedin.com/company/alert-logic
linkedin.com/company/opsco...
Contact Us
James Brown
Director of Cloud
Computing & Security
Architecture
Alert Logic
jbrown@alertlogic.com
Alex Manly
So...
Upcoming SlideShare
Loading in …5
×

DevSecOps: Taking a DevOps Approach to Security

5,972 views

Published on

More organisations are embracing DevOps and automation to realise compelling business benefits, such as more frequent feature releases, increased application stability, and more productive resource utilization. However, many security and compliance monitoring tools have not kept up. In fact, they often represent the largest single remaining barrier to continuous delivery.

Published in: Technology
  • Be the first to comment

DevSecOps: Taking a DevOps Approach to Security

  1. 1. DevSecOps: Taking a DevOps Approach to Security Alert Logic & Chef discuss overcoming security challenges in DevOps
  2. 2. Before We Begin Housekeeping • Turn on your system’s sound to hear the streaming presentation • Questions? Submit them to the presenter at anytime into the question box • The presentation slides will be available to download from the attachment tab after the webinar • The webinar will be recorded and published on BrightTalk • Technical Problems? Click “Help” Agenda • Security Challenges • High Velocity IT • Vulnerability Management • Securing the Platform • Continuous Monitoring • Questions
  3. 3. Speaker Introduction James Brown • Director of Cloud Computing & Security Architecture • Alert Logic Alex Manly • Solution Architect • Chef
  4. 4. OVERCOMING SECURITY CHALLENGES
  5. 5. Security Remains #1 Pain Point For Cloud Deployments Cloud Computing Pain Points 2% 2.5% 2.5% 3.1% 3% 3% 4% 4% 4% 4% 5% 5% 7% 7% 7% 7.4% 8% 9% 10% 11% 11% 12% 17% 31% Storage Data Movement Governance Capacity Planning/Management Legacy Applications Technology Immaturity Complexity Limited Transparency and Management Service-level Management Lack of Standards Network Service Reliability/Availability Contractual/Legal Issues Organizational Challenges Vendor/Provider Issues Lack of Internal Process Management Internal Resources/Expertise Migration/Integration Compliance Security of Data, Control of Data Locality, Sovereignty Human Change Management Pricing/Budget/Cost Security Other Pain Poin Automated P Autom Billing/Chargeba Ease of Transfer Between Integration of Private Lack of C Lack of F Licen Orchest Perform Platform/Provid Supp Q. What are your top cloud computing-related pain points? Source: Cloud Computing – Wave 7 | © 2014 451 Research, LLC. www.451research.com
  6. 6. Shared Security Model
  7. 7. Application Security Technology Challenges Network Changes Host Identity Auto-Scaling Why do traditional security tools struggle in the cloud
  8. 8. Security at Odds with DevOps Velocity Traditional Security/Compliance is Slow • Bolted on at the end • Manual processes • Long cycle times Mature DevOps Velocity is Fast Security Practice does not Keep Up • Traditional Security Tools are not automated • Continuous deployment stalls without security automation
  9. 9. InfoSec Ends Up Being Marginalized “The problem for the security person who is used to turning around security reviews in a month or two weeks is they're just being shoved out of the game. There's no way with how Infosec is currently configured that they can keep up with that. So, Infosec gets all the complaints about being marginalized and getting in the way of doing what needs getting done.” Gene Kim, former CTO of Tripwire Author of “The Phoenix Project: A Novel About IT, DevOps” & “Helping Your Business Win”
  10. 10. Alert Logic Survey Findings Good communications between Development and Operations Teams Poor communication between DevOps, Security and Compliance teams Security Infrastructure had been poorly managed or needed significant improvement Admitted to not implementing security into their continuous process
  11. 11. High velocity IT • Web scale IT • Software is eating the world • The Rise of Coded business • Every business is an IT business • Software defined everything • Deliver change faster and safer
  12. 12. Infrastructure on demand • Cheap • Secure • Elastically Scalable • Self Service
  13. 13. DevOps
  14. 14. Configuration Management
  15. 15. Continuous Delivery
  16. 16. Architecture
  17. 17. Compliance Drag
  18. 18. If you think compliance is expensive, try non-compliance Former US Deputy Attorney General, Paul McNulty
  19. 19. • Many hats ** • Not just Dev, not just Ops. • Security is not and has never been, it’s just a check box. • Security as Code - Software defined Security • Embed security tests into the pipeline. • Test security early. DevSecOps – Don’t shoot me its just a word ** Hat tip to Ben Hughes (@benjammingh) from who I stole this slide from https://speakerdeck.com/barnbarn/handmade-security-at-etsy
  20. 20. The changing role of the compliance officer
  21. 21. 2015 Compliance Report - Verizon
  22. 22. VULNERABILITY MANAGEMENT
  23. 23. Vulnerability Management Vulnerability management is key to maintaining a secure system. Most IT environments use a mix of patch management and vulnerability scanning. However • Scanning is not run frequently enough • Dealing with large numbers of potential vulnerabilities in one go introduces significant risk to the application stability
  24. 24. Manage Vulnerabilities with Base Images + CI Manage Vulnerabilities • Conduct normal vulnerability scanning • Identify Vulnerabilities that exist in Base Images versus Application specific packages • Remediate at appropriate level as part of Continuous Delivery process • Start with Hardened “secure by default” base Results • Less work, done more reliably • Patching fits naturally into Phoenix Upgrades • Continuous Delivery allow frequent scanning in test environments to have real value • Fixes potential vulnerabilities systematically
  25. 25. Adopt Phoenix upgrade strategy Embrace Phoenix Upgrades • Stand up new instances, don’t upgrade • Route traffic between old and new instances • Rich service metrics and automate rollback • Advanced routing can enable selective rollout Results • Creates evergreen systems, avoiding configuration drift and technical debt • Enforces refresh of all system components as complete artifact, tested as a holistic system • Greatly reduces security risks when combine with immutable instances and configuration management
  26. 26. Real World Case – Patching Shellshock
  27. 27. SECURING THE PLATFORM
  28. 28. Securing the platform Aside from ensuring that an application and server is fully patched, it is key to start from a position where a server has been fully locked down. In the cloud, have the developers take the base OS versions that are made available to them and used them? You may be in a position where: • Cannot change permissions on servers without risking breaking the application • Base OS images used without any specific security implemented • Different standard across different server types.
  29. 29. Prevent Attacks with Immutable Systems Build secure base images that are representative of your infrastructure system base Design file system layout to separate code from data, and lock down to minimum required permissions. Should expand to network as well Leverage SANS Checklist and CIS Benchmark resources for system level security best practices and guidance Leverage configuration management tools to standardized all software versions and configurations Design Secure Immutable Infrastructure
  30. 30. • This example will identify any code that tries to mount disk volumes. If code is identified, it will be audited and then workflow can control the action of this deviation to standards. Example – Static Control Analysis
  31. 31. Example – Infrastructure Testing Tests Chef cookbooks using cloud instances and virtual machines Lets you create a realistic multi-server test environment Uses Chef and supports everything Chef supports (OSs, VMs, Languages, etc) Supports multiple test runners (Bats, Minitest, Rspec, ServerSpec, etc.)
  32. 32. CONTINUOUS MONITORING
  33. 33. Chef Analytics Provides Visibility in Three Ways • Record changes to Chef Server or any Chef Nodes • Tracks changes from any sources (Chef UI, command line, knife) • Built-in messaging and email integration • Trivially integrates with your existing systems • Simple dashboard with search, filters and sorting options • Integrate with existing tools via API
  34. 34. Example
  35. 35. • PCI 2.3 - Encrypt all non-console administrative access such as browser/Web-based management tools. rules ’PCI 2.3 – Confirm telnet port not available' rule on run_control when name = 'should be listening' resource_type = 'port' resource_name = '23' status != 'success' then audit:error("PCI 2.3 - Encrypt all non-console administrative access such as browser/Web-based management tools.") notify("security-team@financialcorp.com", "A machine is listening for connections on port 23/telnet!") end end RuleControl controls 'port compliance' do control port(23) do it "has nothing listening" expect(port(23)).to_not be_listening end end end Example – PCI Compliance
  36. 36. • SOX Section 302.4.B – Establish verifiable controls to track data access. rules 'force key based auth' rule on run_control when name = 'is disabled' resource_type = 'File' resource_name = '/etc/ssh/sshd_config' status = 'failed' then audit:error("SOX Section 302.4.B – Establish verifiable controls to track data access.") notify(‘security-team@financialcorp.com’, "A machine has password login enabled!") end end RuleControl controls 'password authentication' do control file('/etc/ssh/sshd_config') do it "is disabled" expect(file('/etc/ssh/sshd_config')) .to_not match(/^s*PasswordAuthentications+yes/i) end end end Example - SOX Compliance
  37. 37. How Cloud Defender Works A L E R T L O G I C C L O U D D E F E N D E R Identify Attacks & Protect Customers Big Data Analytics Platform Threat Intelligence & Security Content 24 x 7 Monitoring & Escalation Alert Logic ActiveAnalytics Alert Logic ActiveIntelligence Alert Logic ActiveWatch Cloud, Hybrid On-Premises Customer IT Environment Web application events Log data Network incidents
  38. 38. Alert Logic Cloud Defender Threat Manager: Network Intrusion Detection • Detects suspicious activities across your networks • Uncovers vulnerabilities in your networks, systems, and applications Log Manager: Log Management & Analysis • Protects your networks, systems, and applications through log analysis • Collects, aggregates, and normalizes logs for easy searching and long term storage Web Security Manager: Web Application Protection • Built to protect web applications from web specific attacks • Learning engine adapts to normal behavior, ensuring application uptime -Simple Unified Deployment -
  39. 39. Questions and Resources Resources All available under the “Attachments” tab of the webinar: • DevOps: The Security Gap • Key findings from Alert Logic’s recent Dev-”Sec”-Ops Survey • Chef’s Whitepaper: Compliance at Velocity • Alert Logic Blog • Top 10 tips for Security Professionals Blog Questions • Questions? Submit them to the presenter at anytime into the question box
  40. 40. Get Connected www.alertlogic.com www.chef.io @alertlogic @chef linkedin.com/company/alert-logic linkedin.com/company/opscode alertlogic.com/resources/blog/ chef.io/blog youtube.com/user/AlertLogicTV youtube.com/user/getchef brighttalk.com/channel/11587 brighttalk.com/channel/11349
  41. 41. Contact Us James Brown Director of Cloud Computing & Security Architecture Alert Logic jbrown@alertlogic.com Alex Manly Solution Architect Chef amanly@chef.io Thank you!

×