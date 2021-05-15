Successfully reported this slideshow.
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agr...
2 General Information 15/05/2021 GA 101000162 PIACERE - Programming trustworthy Infrastructure As Code in a sEcuRE framewo...
3 Overall objective  To enable most organizations to fully embrace the Infrastructure- as-Code (IaC) approach, through th...
4 Main objectives 15/05/2021 GA 101000162 Help the DevSecOps teams to plan the development of the infrastructural models a...
5 Context and motivation 15/05/2021 GA 101000162 Virtualization Cloud Computing Continuum (Sec) DevOps philosophy Infrastr...
6 Context and motivation: general challenges 15/05/2021 GA 101000162 Large variety of competing tools with different progr...
7 Approach and workflow 15/05/2021 GA 101000162 IaC Support to easily model the resources, network and infrastructural req...
8 IaC DevSec 15/05/2021 GA 101000162 IaC design, development and verification • Integration of the IaC Sec Dev process Cre...
9 IaC SecOps 15/05/2021 GA 101000162 IaC simulation • Isolated execution and testing of Infrastructure as Code behavior • ...
10 PIACERE Approach 15/05/2021 GA 101000162
11 PIACERE Key Results 15/05/2021 GA 101000162 DevSecOps Modelling Language (DOML) Verification Tool (DOML-E) Infrastructu...
12 PIACERE Key Results 15/05/2021 GA 101000162 Canary Sandbox Environment IaC Optimized Platform IaC Execution Platform Se...
13 PIACERE Key Results 15/05/2021 GA 101000162 PIACERE DevSecOps Framework Validated in 3 application domains Slovenian Mi...
14 PIACERE Innovations 15/05/2021 GA 101000162 Infrastructur e modeling and abstraction IaC verification and simulation Se...
19 PIACERE Innovations 15/05/2021 GA 101000162 IaC monitoring, self-learning and self-healing ➔ Swarm Intelligence multi-o...
20 ▌ PIACERE Innovations Infrastructur e modeling and abstraction IaC verification and simulation Security concerns in IaC...
21 Target users 15/05/2021 GA 101000162 Target users ➔Developers of IaC ➔ Operators of IaC Infrastructural Code
22 Benefits 15/05/2021 GA 101000162 PIACERE will enable organizations to fully embrace the Infrastructure-as-Code approach...
  1. 1. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 101000162. PIACERE General Presentation Leire Orue-Echevarria (TECNALIA)
  2. 2. 2 General Information 15/05/2021 GA 101000162 PIACERE - Programming trustworthy Infrastructure As Code in a sEcuRE framework ➔December 2020-2023 (36 months) ➔Overall budget: 4.424.250 euros ➔Project coordinator: TECNALIA ➔Technical coordinator: XLAB
  3. 3. 3 Overall objective  To enable most organizations to fully embrace the Infrastructure- as-Code (IaC) approach, through the DevSecOps philosophy, by making the creation of such code more accessible to designers, developers and operators (DevSecOps teams), increasing the quality, security, trustworthiness and evolvability of infrastructural code while ensuring its business continuity by providing self-healing mechanisms anticipating to failures and violations, and self-learning from the conditions that triggered such re-adaptations. 15/05/2021 GA 101000162
  4. 4. 4 Main objectives 15/05/2021 GA 101000162 Help the DevSecOps teams to plan the development of the infrastructural models and to create the IaC, by providing them with a simple definition of abstractions of execution environments Provide the DevSecOps Teams with the tools to verify the correctness of the infrastructural models and the trustworthiness and security of the IaC and the associated software components Provide the DevSecOps teams with the tools and environments to simulate, package, release and configure an optimized deployment of the IaC Support DevSecOps teams with the mechanisms and tools to continuously monitor, self- learn and plan for (self-)healing and optimize the executable IaC Validate that the PIACERE framework is suitable to address the needs for infrastructural code in a variety of application domains
  5. 5. 5 Context and motivation 15/05/2021 GA 101000162 Virtualization Cloud Computing Continuum (Sec) DevOps philosophy Infrastructure as Code (IaC) Enables the automation of several deployment, configuration and management tasks that otherwise would have to be performed manually by an operator Templates Scripts Policies Network elements Cloud infrastructure
  6. 6. 6 Context and motivation: general challenges 15/05/2021 GA 101000162 Large variety of competing tools with different programming languages for writing infrastructural code Focused on a single or a small set of automation steps and of types of resources (e.g. VMs) Focused on cloud computing leaving aside other computational resources such as the edge Not really an end-to-end solution covering Devs and the Ops Trustworthiness and security aspects of the IaC are often left for the end of the cycle
  7. 7. 7 Approach and workflow 15/05/2021 GA 101000162 IaC Support to easily model the resources, network and infrastructural requirements Automatic code generation for the required specific infrastructure Model and code level verification Security inspection of the IaC and imported sw components Behaviour simulation of the IaC based on an optimized deployment configuration Automatic IaC execution to orchestrate the deployment Monitor IaC at run-time and predict failures that may trigger self-helaing mehanisms Monitor run time security The main objective of the PIACERE project is thus to provide means (tools, methods and techniques) to enable most organizations to fully embrace the Infrastructure-as-Code approach, through the DevSecOps philosophy
  8. 8. 8 IaC DevSec 15/05/2021 GA 101000162 IaC design, development and verification • Integration of the IaC Sec Dev process Creation of IaC models based on the NFRs • Definition of the topology and properties of the infrastructure • Abstraction from the specifities of the IaC language and protocol • Extendible Automatic IaC generation based on the models • Most prominent target IaC environments and languages (e.g. Terraform, Ansible, TOSCA) • Code generation for provisioning and deployment orchestrators, configuration management environments, monitoring platforms and networks APIs. Models and code vertification • Verification of the models • Code syntactic correctness, consistency and ability to fulfil specific non-functional properties verification • SAST and security inspector components IaC Development Modelling Code generation
  9. 9. 9 IaC SecOps 15/05/2021 GA 101000162 IaC simulation • Isolated execution and testing of Infrastructure as Code behavior • Identification of potential vulnerabilities and bottlenecks • Catalogue of services and infrastructural elements • Optimization combination of services and infrastructural elements Automatic IaC execution • Creation of the deployment plan • Interdependencies management • Distribution to the subsystems that perform the actual provisioning (e.g. creating virtual machines using proper IaaS connector, installing software packages or adjusting application configuration using Ansible) IaC intelligent monitoring • Execution logs • Run time security verification • QoS assurance through self learning and self-healing mechanisms Automatic re-deployment and adaptation • To ensure that their infrastructural code is always conforming to the SLAs committed with the end-user even if the environmental situation changes IaC (Pre-)deployment IaC Operation
  10. 10. 10 PIACERE Approach 15/05/2021 GA 101000162
  11. 11. 11 PIACERE Key Results 15/05/2021 GA 101000162 DevSecOps Modelling Language (DOML) Verification Tool (DOML-E) Infrastructural Code Generator IaC code security inspector Component Security inspector Key results for IaC design and creation Integrated Development Environment Key results for trustworthy and secure IaC development IaC Development Modelling Code generation IaC Development Models and code verification
  12. 12. 12 PIACERE Key Results 15/05/2021 GA 101000162 Canary Sandbox Environment IaC Optimized Platform IaC Execution Platform Self-learning and self- healing mechanisms Runtime security monitoring Key results for optimized pre- deployment of IaC Key results for real- time monitored and self-healing IaC IaC (Pre-)deployment IaC Operation
  13. 13. 13 PIACERE Key Results 15/05/2021 GA 101000162 PIACERE DevSecOps Framework Validated in 3 application domains Slovenian Ministry of Public Administration Critical Maritime Infrastructures Public Safety on IoT in 5G IaC design and creation Trustworthy and secure IaC development Optimized pre-deployment of IaC Monitored and self-healing IaC
  14. 14. 14 PIACERE Innovations 15/05/2021 GA 101000162 Infrastructur e modeling and abstraction IaC verification and simulation Security concerns in IaC IaC monitoring, self-learning and self- healing IaC solutions
  15. 15. 15 PIACERE Innovations 15/05/2021 GA 101000162 Infrastructur e modeling and abstraction IaC verification and simulation Security concerns in IaC IaC monitoring, self-learning and self- healing IaC solutions IaC solutions ➔ Support for different IaC tools in a single IDE ➔ Integration of heterogeneous resources and infrastrucutural elements ➔ Extendible approach for the new technologies to come
  16. 16. 16 PIACERE Innovations 15/05/2021 GA 101000162 Infrastructur e modeling and abstraction IaC verification and simulation Security concerns in IaC IaC monitoring, self-learning and self- healing IaC solutions Infrastructure modeling and abstraction ➔ Independence from the target IaC tool ➔ Possibility to easily extend the languages supported ➔ A smart modeling environment
  17. 17. 17 PIACERE Innovations 15/05/2021 GA 101000162 Infrastructur e modeling and abstraction IaC verification and simulation Security concerns in IaC IaC monitoring, self-learning and self- healing IaC solutions IaC verification and simulation ➔ Model consistency checking as well as the fulfilment of critical safety and reliability properties ➔ Best practices and guidelines for infrastructural code testing not depending on DSL ➔ Canary environment: Abstractions to model infrastructural and deployment specifications (information flow, cloud provisioning and configuration and the application deployment)
  18. 18. 18 PIACERE Innovations 15/05/2021 GA 101000162 Infrastructur e modeling and abstraction IaC verification and simulation Security concerns in IaC IaC solutions Security concerns in IaC ➔ IaC-SAST with detectors for dangerous IaC code patterns ➔ Automated on-the-fly security analysis of application code ➔ Checking cryptographic libraries for vulnerability to attacks ➔ DAST support for detecting vulnerabilities in the environment before the applications are deployed to production IaC monitoring, self-learning and self- healing
  19. 19. 19 PIACERE Innovations 15/05/2021 GA 101000162 IaC monitoring, self-learning and self-healing ➔ Swarm Intelligence multi-objective meta-heuristics to the IaC domain ➔ Integrated online learning and concept drift detection ➔ Dynamic adaptation of the fitness function of the problem to create more robust solutions Infrastructur e modeling and abstraction IaC verification and simulation Security concerns in IaC IaC solutions IaC monitoring, self-learning and self- healing
  20. 20. 20 ▌ PIACERE Innovations Infrastructur e modeling and abstraction IaC verification and simulation Security concerns in IaC IaC monitoring, self-learning and self- healing IaC solutions IaC monitoring, self-learning and self-healing ➔ Swarm Intelligence multi-objective meta-heuristics to the IaC domain ➔ Integrated online learning and concept drift detection ➔ Dynamic adaptation of the fitness function of the problem to create more robust solutions
  21. 21. 21 Target users 15/05/2021 GA 101000162 Target users ➔Developers of IaC ➔ Operators of IaC Infrastructural Code
  22. 22. 22 Benefits 15/05/2021 GA 101000162 PIACERE will enable organizations to fully embrace the Infrastructure-as-Code approach by:  Making the creation of such infrastructural code more accessible to the DevSecOps teams  Increasing the quality, security, trustworthiness and evolvability of infrastructural code  Ensuring business continuity by providing self-healing mechanisms anticipation of failures and violations  Allowing IaC to self-learn from previous conditions that triggered un-expected situations
  23. 23. Thank you! Website // Contact

