SlideShare a Scribd company logo

Help, My Security Officer Is Allergic to DevOps

C4Media
C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1pPrxzy. Frank Breedijk addresses security concerns raised in a DevOps environment that practices continuous deployment. Filmed at qconlondon.com. Frank Breedijk is the Security Officer at Schuberg Philis where he's been responsible for security since 2006. These responsibilities include the technical information security of Schuberg Philis' Mission Critical outsourcing services, Security Awareness, Vulnerability management, Internal security consultancy, Internal technical audits, etc.

TechnologyNews & Politics
1 of 44
InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /security-devops
Presented at QCon London www.qconlondon.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
Help, my Security Officer is allergic to DevOps…! DevOps and Security, a match made in heaven or a forced marriage from hell?
Pop quiz: What is the acronym for... Hyper Text Transfer Protocol H T T P
Pop quiz: What is the acronym for... Internet Mail Access Protocol I M A P
Pop quiz: What is the acronym for... Secure Hyper Text Transfer Protocol
Pop quiz: What is the acronym for... Secure Internet Mail Access Protocol S
Pop quiz: What is the acronym for... Development & Operations Dev Op
Pop quiz: What is the acronym for... Secure Development & Operations Dev Op S
> whoami »  Frank Breedijk –  Security Officer at Schuberg Philis –  Author of Seccubus –  Blogger for CupFigther.net Email: fbreedijk@schubergphilis.com Twitter: @Seccubus Blog: http://cupfighter.net Project: http://www.seccubus.com Company: http://www.schubergphilis.com Image: Portrait taken by Arthur van Schendel
Typical security officer reaction when you propose DevOp Image: http://devopsreactions.tumblr.com/post/47939884113/blue-screen-after- patching-production-server
We need to understand where we come from… »  DevOp »  Security Image: Conjunction CC NC by lrargerich http://www.flickr.com/photos/ 29638083@N00/5707310636/
What is DevOp? »  DevOp is a methodology where Development and Operations jointly work together to enable faster delivery of software or services to the production environment. »  DevOp enables faster release cycles (up to and above ten releases a day) »  With DevOp software can be automatically built, tested and deployed, ideally without the involvement operations resources »  DevOp is often supported by Agile development processes
Faster delivery cycles… How is this going to affect my security posture? Source: http://devopsreactions.tumblr.com/post/41776196984/first-test
Developers do not have a great reputation with security Image: @akaasjagers desktop by Frank Breedijk
Faster delivery cycles… What security worries about »  Poorly tested code… »  How can it be mitigated? (aka Your answer) –  Automated testing •  Functionality •  Security –  Foritfy, VeraCode, WhiteHat Sentinel –  Gauntlt (https://github.com/gauntlt) –  BDD-Security (http:// www.continuumsecurity.net/bdd- intro.html) –  Chaos Monkey (https://github.com/ Netflix/SimianArmy) –  Seccubus (www.secubus.com) Source: http://testerreactions.tumblr.com/post/50489315537/new- implementation-first-verification
Faster delivery cycles… What security worries about »  No more room for to patch »  How can it be mitigated? (aka Your answer) –  Patches become just another release –  If we miss a patch window, there will be plenty more –  We didn’t miss our single shot to get it right Source: http://devopsreactions.tumblr.com/post/46061575774/surviving-a-ddos- attack
Joint cooperation Automated deployment »  What about separation of duties? Source: http://en.wikipedia.org/wiki/Separation_of_duties
Another PCI DSS audit Source: http://devopsreactions.tumblr.com/post/50566447542/another-pci-dss-audit
When someone says their company is secure because they run PCI- DSS Scans Source: http://securityreactions.tumblr.com/post/31398166073/when-someone-says-their-company- is-secure-because-they
Segregation of duties… What does security worry about? »  Mistakes by incompetence »  How can it be mitigated? (aka Your answer) –  Culture •  Make sure people know and respect their own limits –  Transparency •  Make sure all changes are visible to everyone •  Peer review •  Changes are small and can be understood –  Not every part of the system is in scope of PCI DSS/SOX •  Work with approvals for components in scope Source: http://devopsreactions.tumblr.com/post/48511362536/i-dont-need-to-test-that-what-can- possibly-go-wrong
Segregation of duties… What does security worry about? »  Fraud –  There may be actual financial losses –  Failed PCI DSS/ SOX –  Auditors want us to have this »  How can it be mitigated? (aka Your answer) –  Transparency •  Make sure all changes are visible to everyone •  Peer review •  Changes are small and can be understood –  Not every part of the system is in scope of PCI DSS/SOX •  Work with approvals for components in scope Source: https://twitter.com/NeedADebitCard
Putting signatures on critical code… New/changed code is checked in Critical code does NOT match signature Build fails Security team reviews critical code and signs it Build ok!
10 or more releases a day… Source: http://doit.creighton.edu/faculty-staff-services/cab
Security says NO… Source: http://dilbert.com/strips/comic/2006-08-17/
Change advisory board… Why security says noooo… »  Are changes reviewed for security? »  How can it be mitigated? (aka Your answer) –  It will happen anyway… –  There will be at least 50 changes a week •  Security doesn’t have the capacity to review everything •  Let us help you to deal with this •  Ask for guidance on what needs a review •  Implement signatures for critical functionality •  Add automated security testing Source: http://securityreactions.tumblr.com/post/67562914945/java-source-code-review
Change advisory board… Why security says noooo… »  Changes must have a role back plan »  How can it be mitigated? (aka Your answer) –  Role back cannot exist •  But fix forward does (multiple times a day) •  Make sure security fixes can ‘jump the queue’
Change advisory board… Why security says noooo… »  We are afraid of uncontrolled change »  The CAB was our only point of influence »  How can it be mitigated? (aka Your answer) –  Enable security to become the immune system •  Give insight into all changes •  Allow security to test / verify changes •  Whenever, whatever, however •  Automate security tests »  Pulling the Andon cord is not saying no… »  Remind security that survival isn’t mandatory Source: http://securityreactions.tumblr.com/post/64390760807/when-the-client-asks-me-to-verify- their-fix
Agile development My objections »  Product owner owns the backlog to delivery functionality to the user »  Complexity of stories is measured in story points »  You don’t get points for fixing defects Security »  Is often a “non-functional” requirement »  Making sure security is part of a story increases complexity (cost) of a story »  Devs are not rewarded for fixing security issues »  Result: Security seems to make you less agile Image: Planning Poker, CC NC SA by 2nk - http://www.flickr.com/photos/ 53023503@N00/3947006171/
Agile development Your answer »  Security and product owner should cooperate »  Non-functional requirements are requirements too »  Dealing with NFRs from the start is more effective/efficient then dealing with them later »  We will plan for unplanned work »  Make sure the team is rewarded for reducing technical debt –  There is security debt in technical debt Image: Post-It Fun, CC by zerojay - http://www.flickr.com/ photos/15969266@N04/3238168719/
Where Security needs to be fit into Agile Backlog grooming •  Make sure there is room for Technical Debt, and (Emergency)patching Sprint Planning •  Make sure security is accounted for in you planning Execution •  Ask security to be there for the developer/Ops guy (Automated)Testing •  Test for security too!!! Acceptance •  Functional •  (Non)functional
Security is misguided too… »  Security people are obsessed with controls/locks… »  We don’t often spend time/money where it has the most effect on security Source: http://securityreactions.tumblr.com/post/59198452899/crypto- implementation-in-whistle-im
Where do we get the most bang for buck? Mitigating measures Situational awareness Craftsmanship in setup and operations Defensible infrastructure »  Specific security technologies –  IDS, IPS –  Next generation firewall –  Data loss preventions »  What is happening now? –  Who is attacking? –  What are they doing »  How well are your systems maintained? –  Patch levels up to date? –  Security holes patched? –  Passwords hashed and salted? –  AV up to date? »  How well can you defend your infrastructure? –  Layers of defense? –  Access control in order? –  Dual factor authentication? –  Stepping stones? Source: Managing Operational Threat by Joshua Corman for Carnegie Mellon University
What the industry talks about »  Conference talks are centered around attack and technical measures »  Most infosec spending is around mitigating measures, not defensible infrastructures of quality of software / infrastructure operation Source: Managing Operational Threat by Joshua Corman for Carnegie Mellon University
Example: using automation to build system images »  At Schuberg Phils we automated OS builds »  Wins for security –  Systems are no longer like snowflakes –  Every system that is installed at least starts secure –  Insecure images break the build –  Tested against the CIS benchmarks »  Wins for Dev/Ops –  Software is tested against secure builds –  Works on my laptop becomes irrelevant –  No need to wait 2 hours for all windows patches to install
Rugged DevOpS Image: http://devopsreactions.tumblr.com/post/49168088989/backup-and-dr-testing
DevOpS benefits »  Infrastructure has become code too –  Can be unit tested –  Security can be built in »  DevOpS has lots of small changes that take place often –  Changes are small so impact of missing a window is small –  Emergency changes can skip the queue –  Environments should be rebuilt often •  Makes DR test implicit •  Enables easy patching »  DevOpS is quality driven –  Security is a quality
Security is part of all the ways of DevOp »  System thinking –  Code not in production isn’t code –  Code that isn’t secure isn’t code »  Stop treating security as a silo… Image: 2010 a CC NC ND image by Annais Ferreira, http://www.flickr.com/photos/ 79083322@N00/4453826217/
Allow security to provide a strong feedback signal »  The shorter the feedback loops are, the better the learning effect –  Automated security testing –  Signed code –  Allow security to pull the Andon cord –  Have Nagios tests for security?
Allow for experimentation??? »  DevOps is THE change to security to finally get it right »  Defensible infrastructure Image: Rainbolt a CC NC ND image by Brian Auer, http://www.flickr.com/photos/ 29814800@N00/1480408255/
Conclusion… »  DevOpS is full of win! »  If we listen to each other we can all benefit @seccubus fbreedijk@schubergphilis.com Image: http://securityreactions.tumblr.com/post/65138818960/got-my-5th-animated-gif-published- in-securityreactions
Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations/security- devops

Recommended

Creating A Change Advisory Board
Creating A Change Advisory BoardCreating A Change Advisory Board
Creating A Change Advisory BoardUniversity ITSM
 
Change management - ITIL Series
Change management - ITIL SeriesChange management - ITIL Series
Change management - ITIL SeriesYudi FlasheR
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 

Recommended

Creating A Change Advisory Board
Creating A Change Advisory BoardCreating A Change Advisory Board
Creating A Change Advisory BoardUniversity ITSM
 
Change management - ITIL Series
Change management - ITIL SeriesChange management - ITIL Series
Change management - ITIL SeriesYudi FlasheR
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechC4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/awaitC4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaC4Media
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayC4Media
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?C4Media
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

More Related Content

More from C4Media

Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechC4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/awaitC4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaC4Media
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayC4Media
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?C4Media
 

More from C4Media (20)

Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in Adtech
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/await
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven Utopia
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?
 

Recently uploaded

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Help, My Security Officer Is Allergic to DevOps

  • 1.
  • 2. InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /security-devops
  • 3. Presented at QCon London www.qconlondon.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
  • 4. Help, my Security Officer is allergic to DevOps…! DevOps and Security, a match made in heaven or a forced marriage from hell?
  • 5. Pop quiz: What is the acronym for... Hyper Text Transfer Protocol H T T P
  • 6. Pop quiz: What is the acronym for... Internet Mail Access Protocol I M A P
  • 7. Pop quiz: What is the acronym for... Secure Hyper Text Transfer Protocol
  • 8. Pop quiz: What is the acronym for... Secure Internet Mail Access Protocol S
  • 9. Pop quiz: What is the acronym for... Development & Operations Dev Op
  • 10. Pop quiz: What is the acronym for... Secure Development & Operations Dev Op S
  • 11. > whoami »  Frank Breedijk –  Security Officer at Schuberg Philis –  Author of Seccubus –  Blogger for CupFigther.net Email: fbreedijk@schubergphilis.com Twitter: @Seccubus Blog: http://cupfighter.net Project: http://www.seccubus.com Company: http://www.schubergphilis.com Image: Portrait taken by Arthur van Schendel
  • 12. Typical security officer reaction when you propose DevOp Image: http://devopsreactions.tumblr.com/post/47939884113/blue-screen-after- patching-production-server
  • 13. We need to understand where we come from… »  DevOp »  Security Image: Conjunction CC NC by lrargerich http://www.flickr.com/photos/ 29638083@N00/5707310636/
  • 14. What is DevOp? »  DevOp is a methodology where Development and Operations jointly work together to enable faster delivery of software or services to the production environment. »  DevOp enables faster release cycles (up to and above ten releases a day) »  With DevOp software can be automatically built, tested and deployed, ideally without the involvement operations resources »  DevOp is often supported by Agile development processes
  • 15. Faster delivery cycles… How is this going to affect my security posture? Source: http://devopsreactions.tumblr.com/post/41776196984/first-test
  • 16. Developers do not have a great reputation with security Image: @akaasjagers desktop by Frank Breedijk
  • 17. Faster delivery cycles… What security worries about »  Poorly tested code… »  How can it be mitigated? (aka Your answer) –  Automated testing •  Functionality •  Security –  Foritfy, VeraCode, WhiteHat Sentinel –  Gauntlt (https://github.com/gauntlt) –  BDD-Security (http:// www.continuumsecurity.net/bdd- intro.html) –  Chaos Monkey (https://github.com/ Netflix/SimianArmy) –  Seccubus (www.secubus.com) Source: http://testerreactions.tumblr.com/post/50489315537/new- implementation-first-verification
  • 18. Faster delivery cycles… What security worries about »  No more room for to patch »  How can it be mitigated? (aka Your answer) –  Patches become just another release –  If we miss a patch window, there will be plenty more –  We didn’t miss our single shot to get it right Source: http://devopsreactions.tumblr.com/post/46061575774/surviving-a-ddos- attack
  • 19. Joint cooperation Automated deployment »  What about separation of duties? Source: http://en.wikipedia.org/wiki/Separation_of_duties
  • 20. Another PCI DSS audit Source: http://devopsreactions.tumblr.com/post/50566447542/another-pci-dss-audit
  • 21. When someone says their company is secure because they run PCI- DSS Scans Source: http://securityreactions.tumblr.com/post/31398166073/when-someone-says-their-company- is-secure-because-they
  • 22. Segregation of duties… What does security worry about? »  Mistakes by incompetence »  How can it be mitigated? (aka Your answer) –  Culture •  Make sure people know and respect their own limits –  Transparency •  Make sure all changes are visible to everyone •  Peer review •  Changes are small and can be understood –  Not every part of the system is in scope of PCI DSS/SOX •  Work with approvals for components in scope Source: http://devopsreactions.tumblr.com/post/48511362536/i-dont-need-to-test-that-what-can- possibly-go-wrong
  • 23. Segregation of duties… What does security worry about? »  Fraud –  There may be actual financial losses –  Failed PCI DSS/ SOX –  Auditors want us to have this »  How can it be mitigated? (aka Your answer) –  Transparency •  Make sure all changes are visible to everyone •  Peer review •  Changes are small and can be understood –  Not every part of the system is in scope of PCI DSS/SOX •  Work with approvals for components in scope Source: https://twitter.com/NeedADebitCard
  • 24. Putting signatures on critical code… New/changed code is checked in Critical code does NOT match signature Build fails Security team reviews critical code and signs it Build ok!
  • 25. 10 or more releases a day… Source: http://doit.creighton.edu/faculty-staff-services/cab
  • 26. Security says NO… Source: http://dilbert.com/strips/comic/2006-08-17/
  • 27. Change advisory board… Why security says noooo… »  Are changes reviewed for security? »  How can it be mitigated? (aka Your answer) –  It will happen anyway… –  There will be at least 50 changes a week •  Security doesn’t have the capacity to review everything •  Let us help you to deal with this •  Ask for guidance on what needs a review •  Implement signatures for critical functionality •  Add automated security testing Source: http://securityreactions.tumblr.com/post/67562914945/java-source-code-review
  • 28. Change advisory board… Why security says noooo… »  Changes must have a role back plan »  How can it be mitigated? (aka Your answer) –  Role back cannot exist •  But fix forward does (multiple times a day) •  Make sure security fixes can ‘jump the queue’
  • 29. Change advisory board… Why security says noooo… »  We are afraid of uncontrolled change »  The CAB was our only point of influence »  How can it be mitigated? (aka Your answer) –  Enable security to become the immune system •  Give insight into all changes •  Allow security to test / verify changes •  Whenever, whatever, however •  Automate security tests »  Pulling the Andon cord is not saying no… »  Remind security that survival isn’t mandatory Source: http://securityreactions.tumblr.com/post/64390760807/when-the-client-asks-me-to-verify- their-fix
  • 30. Agile development My objections »  Product owner owns the backlog to delivery functionality to the user »  Complexity of stories is measured in story points »  You don’t get points for fixing defects Security »  Is often a “non-functional” requirement »  Making sure security is part of a story increases complexity (cost) of a story »  Devs are not rewarded for fixing security issues »  Result: Security seems to make you less agile Image: Planning Poker, CC NC SA by 2nk - http://www.flickr.com/photos/ 53023503@N00/3947006171/
  • 31. Agile development Your answer »  Security and product owner should cooperate »  Non-functional requirements are requirements too »  Dealing with NFRs from the start is more effective/efficient then dealing with them later »  We will plan for unplanned work »  Make sure the team is rewarded for reducing technical debt –  There is security debt in technical debt Image: Post-It Fun, CC by zerojay - http://www.flickr.com/ photos/15969266@N04/3238168719/
  • 32. Where Security needs to be fit into Agile Backlog grooming •  Make sure there is room for Technical Debt, and (Emergency)patching Sprint Planning •  Make sure security is accounted for in you planning Execution •  Ask security to be there for the developer/Ops guy (Automated)Testing •  Test for security too!!! Acceptance •  Functional •  (Non)functional
  • 33. Security is misguided too… »  Security people are obsessed with controls/locks… »  We don’t often spend time/money where it has the most effect on security Source: http://securityreactions.tumblr.com/post/59198452899/crypto- implementation-in-whistle-im
  • 34. Where do we get the most bang for buck? Mitigating measures Situational awareness Craftsmanship in setup and operations Defensible infrastructure »  Specific security technologies –  IDS, IPS –  Next generation firewall –  Data loss preventions »  What is happening now? –  Who is attacking? –  What are they doing »  How well are your systems maintained? –  Patch levels up to date? –  Security holes patched? –  Passwords hashed and salted? –  AV up to date? »  How well can you defend your infrastructure? –  Layers of defense? –  Access control in order? –  Dual factor authentication? –  Stepping stones? Source: Managing Operational Threat by Joshua Corman for Carnegie Mellon University
  • 35. What the industry talks about »  Conference talks are centered around attack and technical measures »  Most infosec spending is around mitigating measures, not defensible infrastructures of quality of software / infrastructure operation Source: Managing Operational Threat by Joshua Corman for Carnegie Mellon University
  • 36. Example: using automation to build system images »  At Schuberg Phils we automated OS builds »  Wins for security –  Systems are no longer like snowflakes –  Every system that is installed at least starts secure –  Insecure images break the build –  Tested against the CIS benchmarks »  Wins for Dev/Ops –  Software is tested against secure builds –  Works on my laptop becomes irrelevant –  No need to wait 2 hours for all windows patches to install
  • 38. DevOpS benefits »  Infrastructure has become code too –  Can be unit tested –  Security can be built in »  DevOpS has lots of small changes that take place often –  Changes are small so impact of missing a window is small –  Emergency changes can skip the queue –  Environments should be rebuilt often •  Makes DR test implicit •  Enables easy patching »  DevOpS is quality driven –  Security is a quality
  • 39. Security is part of all the ways of DevOp »  System thinking –  Code not in production isn’t code –  Code that isn’t secure isn’t code »  Stop treating security as a silo… Image: 2010 a CC NC ND image by Annais Ferreira, http://www.flickr.com/photos/ 79083322@N00/4453826217/
  • 40. Allow security to provide a strong feedback signal »  The shorter the feedback loops are, the better the learning effect –  Automated security testing –  Signed code –  Allow security to pull the Andon cord –  Have Nagios tests for security?
  • 41. Allow for experimentation??? »  DevOps is THE change to security to finally get it right »  Defensible infrastructure Image: Rainbolt a CC NC ND image by Brian Auer, http://www.flickr.com/photos/ 29814800@N00/1480408255/
  • 42. Conclusion… »  DevOpS is full of win! »  If we listen to each other we can all benefit @seccubus fbreedijk@schubergphilis.com Image: http://securityreactions.tumblr.com/post/65138818960/got-my-5th-animated-gif-published- in-securityreactions
  • 43.
  • 44. Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations/security- devops