Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Transform your DevOps practices with Security

141 views

Published on

DevOps is not just about deploying software, it’s about reducing bottlenecks and bringing value to the business. By utilizing DevOps techniques we can build a strong security practice that everybody is invested in, even your Developers and Operations Teams!

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Transform your DevOps practices with Security

  1. 1. This Page Left Intentionally Blank
  2. 2. This Page Also Left Intentionally Blank
  3. 3. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Paul Czarkowski @pczarkowski Transform your Security Team with DevOps
  4. 4. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Paul Czarkowski @pczarkowski Transform your DevOps Practice with Security
  5. 5. Cover w/ Image Agenda ■ Who I Am ■ Compliance ■ DevOps ■ DevOps + Compliance ■ Q+A
  6. 6. Compliance ?
  7. 7. What is Compliance ? Self Imposed ● CIS Controls / Benchmarks ● Security Technical Implementation Guide (STIG) ● Allowed opensource licenses Regulatory ● PCI (US) ● HIPAA (US) ● Sarbanes-Oxley (US) ● EU GDPR ● NZ Information Security Manual (NZISM)
  8. 8. Verification Validation of compliance based on Controls in place. ● Checklists ● External Auditors Checklists Practice, Policy or Procedure established to meet compliance requirements. ● Spreadsheets ● Checklists ● Sharepoint Pages Specifications Documentation of requirements that need to be met in order to be compliant. ● PDFs ● Verbose Compliance Controls Audit
  9. 9. Example of Compliance Specifications
  10. 10. Example of Compliance Specifications
  11. 11. Compliance Officer Operations Security Officer Auditor
  12. 12. DevOps
  13. 13. http://blog.d2-si.fr/2016/02/22/devopsconnection/
  14. 14. Rugged DevOps DevSecOps Secure DevOps
  15. 15. https://www.devsecopsdays.com/articles/its-just-a-name
  16. 16. DevOps + Compliance
  17. 17. Embedded OS (Windows & Linux) NSX-T CPI (15 methods) v1 v2 v3 ... CVEs Product Updates Java | .NET | NodeJS Pivotal Application Service (PAS) Application Code & Frameworks Buildpacks | Spring Boot | Spring Cloud | Steeltoe Elastic | Packaged Software | Spark Pivotal Container Service (PKS) >cf push >kubectl run YOU build the containerWE build the container vSphere Azure & Azure StackGoogle CloudAWSOpenstack Pivotal Network “3Rs” Github Concourse Concourse Pivotal Services Marketplace Pivotal and Partner Products Continuous delivery Public Cloud Services Customer Managed Services OpenServiceBrokerAPI Repair — CVEs Repave Rotate — Credhub
  18. 18. PIVOTAL CLOUD FOUNDRY OPS Powered by BOSH BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems. BOSH Packaging w/ embedded OS Server provisioning on any IaaS Software deployment across availability zones Health monitoring (server AND processes) Self-healing w/ Resurrector Storage management Rolling upgrades via canaries Easy scaling of clusters
  19. 19. PIVOTAL CLOUD FOUNDRY OPS Powered by BOSH BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems. BOSH Packaging w/ embedded OS Server provisioning on any IaaS Software deployment across availability zones Health monitoring (server AND processes) Self-healing w/ Resurrector Storage management Rolling upgrades via canaries Easy scaling of clusters
  20. 20. PIVOTAL CLOUD FOUNDRY OPS Powered by BOSH BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems. BOSH Packaging w/ embedded OS Server provisioning on any IaaS Software deployment across availability zones Health monitoring (server AND processes) Self-healing w/ Resurrector Storage management Rolling upgrades via canaries Easy scaling of clusters
  21. 21. Culture
  22. 22. Adopting a DevOps culture Despite varying approaches to describing high-performance teams there is a set of common characteristics that are recognised to lead to success. ● Participative leadership – using a democratic leadership style that involves and engages team members ● Effective decision-making – using a blend of rational and intuitive decision making methods, depending on that nature of the decision task ● Open and clear communication – ensuring that the team mutually constructs shared meaning, using effective communication methods and channels ● Valued diversity – valuing a diversity of experience and background in team, contributing to a diversity of viewpoints, leading to better decision making and solutions ● Mutual trust – trusting in other team members and trusting in the team as an entity ● Clear goals – goals that are developed using SMART criteria; also each goal must have personal meaning and resonance for each team member, building commitment and engagement ● Defined roles and responsibilities – each team member understands what they must do (and what they must not do) to demonstrate their commitment to the team and to support team success ● Positive atmosphere – an overall team culture that is open, transparent, positive, future-focused and able to deliver success https://en.wikipedia.org/wiki/High-performance_teams
  23. 23. Lean
  24. 24. https://imgur.com/gallery/kMJWs
  25. 25. https://www.slideshare.net/KarenMartinGroup/value-stream-mapping-in-office-service-setttings
  26. 26. Mappable Processes that include Security / Compliance Application Release ● Vulnerability Scanning ● Security Scanning (sql injection etc) ● License Scanning ● Attribution Compliance Audits ● Vulnerability Scanning ● Security Scanning (sql injection etc) ● Package updates ● OS inspection Infrastructure Provisioning ● OS Hardening ● Firewalling ● User Management ● Remote logging and auditing ● Intrusion Detection ● Vulnerability Scanning
  27. 27. Value Stream map for Provisioning a New Server Current State Prepare Request Network / VLANs Launch VM / Install OS Test Compliance Deliver 1-5 days 1-5 days 1-5 days 1-5 days 1-2 days 1-2 days 1-2 days 1-2 days
  28. 28. Value Stream map for Provisioning a New Server Future State Deploy VM Configure VM Test Compliance Deliver 1-5 days 1-5 days 1-5 days 1-2 hours 1-2 hours 1-2 Hours
  29. 29. Value Stream map for Provisioning a New Server Future State
  30. 30. Automation
  31. 31. ● Implements STIG controls via Ansible playbooks ● Opensource project started at Rackspace ● Plays well with existing config management ● Easily override problematic controls ● Extends RSPEC for Compliance testing ● Similar to Serverspec, but better. ● Easy to go from serverspec to inspec ● Inspec-STIG is all of STIG already written into inspec tests.
  32. 32. Source: @petecheslock
  33. 33. Example of Compliance Specifications
  34. 34. Measurement
  35. 35. Sharing
  36. 36. What’s Next ?
  37. 37. Other Security / Compliance tools ● Gauntlt ( Security Testing Framework ) ● Metasploit ( Penetration Testing) ● Syntribos ( API security testing) ● Pivotal LicenseFinder ( Scanning licenses of dependencies ) ● Snort ( Intrusion Detection ) ● Fossology ( license compliance ) ● OpenVAS ( vulnerability scanning ) ● OSSEC ( Intrustion Detection )
  38. 38. Questions ?
  39. 39. Transforming How The World Builds Software © Copyright 2018 Pivotal Software, Inc. All rights Reserved.

×