SlideShare a Scribd company logo

VSLive Las Vegas - The Shift to Rugged DevOps

Rene Van Osnabrugge
Rene Van Osnabrugge

Putting Developers and IT-Pros in one team does not make it a DevOps team. And even when they work smoothly together there is always Security that needs to be addressed. Build and Release Pipelines take care of building and deploying your application, but are your pipelines secure? And the code that you are deploying? With many releases a day, security officers will not be able to verify each release. Rugged DevOps is all about securing your assets and your pipeline and really embed Security in to your DevOps process. In this talk I will guide you through the concepts of Rugged DevOps, the risks companies are currently facing and talk about some strategies and tools which can help you embed security in to your DevOps processes. You will learn: About the concepts of Rugged DevOps How to embed security in your pipelines How to detect, respond and recover in production

Software
1 of 35
2/13/2020 1 THE SHIFT TO RUGGED DEVOPS SECURITY IN YOUR PIPELINES RENÉVAN OSNABRUGGE @RENEVO René van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com 3 4
2/13/2020 2 COMPLIANCY COMPLIANCY 5 6
2/13/2020 3 IMPOSSIBLE TO UNDERSTAND IMPOSSIBLE TO IMPLEMENT IMPOSSIBLE TO VALIDATE IMPOSSIBLE TO MAINTAIN THE BATTLE WITH CISO 7 8
2/13/2020 4 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! THE CLASSIC “SECURITY” MODEL 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! THE CLASSIC “SECURITY” MODEL 9 10
2/13/2020 5 ISO 27001 COBIT SOX PCI AUTHORITIES ETC. BANG HEAD HERE 11 12
2/13/2020 6 CONFIDENTIALITY INTEGRITY AVAILABILITY “COMPLIANCE CHECKING IS THE OPPOSITE OF SECURITY ENGINEERING” James Wicket – “The DevOps Handbook” 13 15
2/13/2020 7 “Health is a state of complete physical, mental and social well-being, and not merely the absence of disease or infirmity.” World Health Organization, 1948 16 17
2/13/2020 8 THIS WAS ALL VERY SECURE! Unbreachable walls Indestructible Machines Watchful security guards UNTIL IT WAS NOT! 18 19
2/13/2020 9 COMPLIANT SECURE RUGGED ”FUNDAMENTALLY, IF SOMEBODY WANTS TO GET IN, THEY'RE GETTING IN…ACCEPT THAT. NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU THOUGHT YOU WERE OR NOT. NUMBER TWO, YOU ALMOST CERTAINLY ARE PENETRATED. WE NEED TO SHIFT FROM PREVENT TO ASSUME BREACH! ” Michael Hayden Former Director of NSA & CIA 20 21
2/13/2020 10 BETTER CHEAPER FASTER 22 23
2/13/2020 11 STATE OF DEVOPShttps://cloudplatformonline.com/2018-state-of-devops.html 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! WE NEED TO MOVE FROM MANUAL…. 24 25
2/13/2020 12 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Security Level - Current Desired Audit coming up ! Audit coming up ! ….TO AUTOMATED SECURITY IS THE NEXT SILO TO TEAR DOWN 26 27
2/13/2020 13 WHERE TO START? ITSTARTSWITHAWARENESS! 28 29
2/13/2020 14 Make them part of your team! SHIFT LEFT SECURITYYOU BUILD IT YOU RUN IT Make them part of your team! SHIFT LEFT SECURITY 30 31
2/13/2020 15 CREATIVE THINKING HACKERS DO… NOT PLAY BY THE RULES ALREADY USE CONTINUOUS DELIVERY ARE ALWAYS AHEAD OF YOU USE ALL MEANS POSSIBLE THINK OUT OF THE BOX 32 33
2/13/2020 16 HOW DO WE DO THAT? IDENTIFY PREVENT REACT BUILD RUN NOT OR…BUT AND! IDENTIFY PREVENT REACT PREVENT BREACH ASSUME BREACH 34 35
2/13/2020 17 PREVENT BREACH CODE STORE BUILD DEPLOY RELEASE SECURE PIPELINES SECURE AND COMPLIANT ALL THE WAY 36 37
2/13/2020 18 Identity & Access Servers & Containers Firewalls & Network Passwords & Secrets Libraries & Licenses Application Code Build & Delivery Pipelines WHAT NEEDS TO BE SECURE? CODING PHASE “In the coding phase, an idea transforms into code” 38 39
2/13/2020 19 CODING PHASE - IDENTIFY • Bad coding practicesresulting in Technical Debt • Non Deployable code • Untested code and therefore unintended consequences • Passwords/Secretsetc. exposed in code WE ALL NEED SOME PROTECTION … FROM OURSELVES 40 41
2/13/2020 20 42 43
2/13/2020 21 CODING PHASE - PREVENT • Secure Development Lifecycle (SDL) • Compiling / Syntax Checking • First stage - Static Code Analysis • Ruleset selection is key ! • Unit Tests • Secure Assets • Approvedtemplates • Secure shared Packages • Credential and Secret Scanning • Do we really need secrets? • Use of keyvaults 44 45
2/13/2020 22 CREDENTIAL SCANNING DEMO STORING PHASE “In the storing phase you make “your” code “our” code and ensure it is safe” 46 47
2/13/2020 23 STORING PHASE - IDENTIFY • Everything from Coding phase ! • Unknown committers to Git Repository • Suspicious code is committed to the code repository • Code is deployed without 4-eyes principle • Code contains secrets/passwordsetc. STORING PHASE - PREVENT • Protect Git Repo to ensure “pusher” is known • Use Pull Requests and protect the master branch • Run Continuous IntegrationBuilds • Enforce 4-eyes on every code change • Enforce CI checks on every code change • Static Code Analysis • CredScans • Compiling Syntax Checking • Unit Tests 48 49
2/13/2020 24 BUILD PHASE “In the build phase we transform the product from code and script into an immutable and versioned package” BUILD PHASE - IDENTIFY • Package can be unintentionallymodified • Code can contain vulnerabilities/ Technical Debt • Code can contain secrets • Code is untested/unstable • Unauthorized modification of build process • Code can use unsecure libraries • Code can use unlicensed / wrongly licensed libraries 50 51
2/13/2020 25 REMEMBER HEARTBLEED? 52 53
2/13/2020 26 Components 80 – 90 % Original Code 10-20% (max) YOUR CODE VS. THEIR CODE COPYLEFT GPL LGPL AGPL Permissive Restrictive ANDTHENTHEREISLICENSING 54 55
2/13/2020 27 BUILD PHASE - PREVENT • Build activities from Storing Phase • Second stage - Static Code Analysis • Vulnerabilityand dependency scanning • License Scanning • Securely storing the Build Artifact • Protectingthe Build History DEPENDENCY MANAGEMENT DEMO 56 57
2/13/2020 28 DEPLOY / RELEASE PHASE “THIS IS THE PHASE WHERE THE ARTIFACTS MOVE FROM YOUR “PROTECTED” ENVIRONMENT INTO THE OPEN” DEPLOY / RELEASE PHASE - IDENTIFY • Unauthorized change in the release steps • Target environment accessible by multiple process • Deployed application has obvious vulnerabilities • Deployed application has unexpected consequences on availability etc. • Secrets are exposed during deployment process 58 59
2/13/2020 29 DEPLOY / RELEASE PHASE - PREVENT • Run Dynamic Security Tests on Infrastructure • Run Tests that require a deployed application • Monitor key metrics after deployment • Set up secure Endpointsto target environment • Secret Management in the pipeline • Build in a mechanism to separate functional from technical release • Enforce 4 eyes-principle on the release pipeline RELEASE GATES DEMO 60 61
2/13/2020 30 ASSUME BREACH / RUN IDENTIFY PREVENT REACT PREVENT BREACH ASSUME BREACH Monitor REACT MTTR Baselines Pipelines Alerts Continuous Delivery You build it / You run it Post Mortem Share Experience Rebuilt Everything as Code DETECT RESPOND RECOVER 62 63
2/13/2020 31 Monitor Detect Fix Bleeding Scan & Fix Locally Embed in Pipeline Set new Baseline Continuous Assurance DEMO DETECT , RESPOND, RECOVER 64 65
2/13/2020 32 ADD MORE RUGGED-NESS 67 68
2/13/2020 33 RED TEAM vs. BLUE TEAM Red Team Model real-world attacks Identify gaps in security story Demonstrable impact Blue Team Exercises ability to detect & respond Enhances situational awareness Measures readiness & impact AND COMPLIANCY? 69 70
2/13/2020 34 COMPLIANT BY DEFAULT 1 2 3 AVAILABILITY INTEGRITY CONFIDENTIALITY 71 72
2/13/2020 35 René van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com René van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com Attributions Pictures: https://unsplash.com / https://www.flickr.com/photos/wocintechchat Gifs: https://giphy.com Music: https://open.spotify.com/user/rvanosnabrugge/playlist/ 0BWgsNPM5iwgk8ZGlMHeoY?si=l9-tV8FTR8S1J7AbKBz-KA Video: https://www.youtube.com/watch?v=47u3n1kX0wE Thanks: Geert, Marcel, Alex, Jasper, Xpirit 73 74

Recommended

The Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipelineThe Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipeline
Rene Van Osnabrugge
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?
DefCamp
 
I've been hacked! So, now, what!?
I've been hacked! So, now, what!?I've been hacked! So, now, what!?
I've been hacked! So, now, what!?
Nestor Angulo de Ugarte
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
DallasHaselhorst
 
Stories from the Trainyard!
Stories from the Trainyard!Stories from the Trainyard!
Stories from the Trainyard!
Patrick Kelley
 
Azure Industrial Iot Edge
Azure Industrial Iot EdgeAzure Industrial Iot Edge
Azure Industrial Iot Edge
Riccardo Zamana
 
6DCP Presentation 2016
6DCP Presentation 20166DCP Presentation 2016
6DCP Presentation 2016
Eddie Cohen
 
Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0
Vandana Verma
 

Recommended

The Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipelineThe Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipeline
Rene Van Osnabrugge
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?
DefCamp
 
I've been hacked! So, now, what!?
I've been hacked! So, now, what!?I've been hacked! So, now, what!?
I've been hacked! So, now, what!?
Nestor Angulo de Ugarte
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
DallasHaselhorst
 
Stories from the Trainyard!
Stories from the Trainyard!Stories from the Trainyard!
Stories from the Trainyard!
Patrick Kelley
 
Azure Industrial Iot Edge
Azure Industrial Iot EdgeAzure Industrial Iot Edge
Azure Industrial Iot Edge
Riccardo Zamana
 
6DCP Presentation 2016
6DCP Presentation 20166DCP Presentation 2016
6DCP Presentation 2016
Eddie Cohen
 
Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0
Vandana Verma
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application Security
James Wickett
 
IRJET - Smart Door System
IRJET - Smart Door SystemIRJET - Smart Door System
IRJET - Smart Door System
IRJET Journal
 
Smart Security System Using R.F.I.D.
Smart Security System Using R.F.I.D.Smart Security System Using R.F.I.D.
Smart Security System Using R.F.I.D.
IRJET Journal
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path Forward
James Wickett
 
Introduction to Industrial Cybersecurity for Water and Waste Water Operators
Introduction to Industrial Cybersecurity for Water and Waste Water OperatorsIntroduction to Industrial Cybersecurity for Water and Waste Water Operators
Introduction to Industrial Cybersecurity for Water and Waste Water Operators
Sean R. Bouchard, P.Eng
 
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
North Texas Chapter of the ISSA
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & Ransomware
CSNP
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introduction
Sebastien Gioria
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
Sébastien GIORIA
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN
Eturnti Consulting Pvt Ltd
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecAppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
James Wickett
 
Application Security Epistemology in a Continuous Delivery World
Application Security Epistemology in a Continuous Delivery WorldApplication Security Epistemology in a Continuous Delivery World
Application Security Epistemology in a Continuous Delivery World
James Wickett
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
Audit Once, Comply Many, and other lies
Audit Once, Comply Many, and other liesAudit Once, Comply Many, and other lies
Audit Once, Comply Many, and other lies
Keith Crawford
 
IRJET- Design and Development Modish Smart Key Box using RFID based on Ard...
IRJET- Design and Development Modish Smart Key Box using RFID based on Ard...IRJET- Design and Development Modish Smart Key Box using RFID based on Ard...
IRJET- Design and Development Modish Smart Key Box using RFID based on Ard...
IRJET Journal
 
How to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application SecurityHow to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application Security
James Wickett
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great again
Eric Larcheveque
 
VS Live Las Vegas - When Down is not good enough - SRE on Azure
VS Live Las Vegas - When Down is not good enough - SRE on AzureVS Live Las Vegas - When Down is not good enough - SRE on Azure
VS Live Las Vegas - When Down is not good enough - SRE on Azure
Rene Van Osnabrugge
 
VSLive Orlando 2019 - When "We are down" is not good enough. SRE on Azure
VSLive Orlando 2019 - When "We are down" is not good enough. SRE on AzureVSLive Orlando 2019 - When "We are down" is not good enough. SRE on Azure
VSLive Orlando 2019 - When "We are down" is not good enough. SRE on Azure
Rene Van Osnabrugge
 

More Related Content

Similar to VSLive Las Vegas - The Shift to Rugged DevOps

New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application Security
James Wickett
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & Ransomware
CSNP
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
Sébastien GIORIA
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
How to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application SecurityHow to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application Security
James Wickett
 

Similar to VSLive Las Vegas - The Shift to Rugged DevOps (20)

New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application Security
 
IRJET - Smart Door System
IRJET - Smart Door SystemIRJET - Smart Door System
IRJET - Smart Door System
 
Smart Security System Using R.F.I.D.
Smart Security System Using R.F.I.D.Smart Security System Using R.F.I.D.
Smart Security System Using R.F.I.D.
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path Forward
 
Introduction to Industrial Cybersecurity for Water and Waste Water Operators
Introduction to Industrial Cybersecurity for Water and Waste Water OperatorsIntroduction to Industrial Cybersecurity for Water and Waste Water Operators
Introduction to Industrial Cybersecurity for Water and Waste Water Operators
 
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & Ransomware
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introduction
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecAppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
 
Application Security Epistemology in a Continuous Delivery World
Application Security Epistemology in a Continuous Delivery WorldApplication Security Epistemology in a Continuous Delivery World
Application Security Epistemology in a Continuous Delivery World
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
Audit Once, Comply Many, and other lies
Audit Once, Comply Many, and other liesAudit Once, Comply Many, and other lies
Audit Once, Comply Many, and other lies
 
IRJET- Design and Development Modish Smart Key Box using RFID based on Ard...
IRJET- Design and Development Modish Smart Key Box using RFID based on Ard...IRJET- Design and Development Modish Smart Key Box using RFID based on Ard...
IRJET- Design and Development Modish Smart Key Box using RFID based on Ard...
 
How to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application SecurityHow to Effect Change in the Epistemological Wasteland of Application Security
How to Effect Change in the Epistemological Wasteland of Application Security
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great again
 

More from Rene Van Osnabrugge

VS Live Las Vegas - When Down is not good enough - SRE on Azure
VS Live Las Vegas - When Down is not good enough - SRE on AzureVS Live Las Vegas - When Down is not good enough - SRE on Azure
VS Live Las Vegas - When Down is not good enough - SRE on Azure
Rene Van Osnabrugge
 
VSLive Orlando 2019 - When "We are down" is not good enough. SRE on Azure
VSLive Orlando 2019 - When "We are down" is not good enough. SRE on AzureVSLive Orlando 2019 - When "We are down" is not good enough. SRE on Azure
VSLive Orlando 2019 - When "We are down" is not good enough. SRE on Azure
Rene Van Osnabrugge
 
AllDayDevOps - Growing your DevOps Mindset
AllDayDevOps - Growing your DevOps MindsetAllDayDevOps - Growing your DevOps Mindset
AllDayDevOps - Growing your DevOps Mindset
Rene Van Osnabrugge
 
Growing your DevOps Mindset
Growing your DevOps MindsetGrowing your DevOps Mindset
Growing your DevOps Mindset
Rene Van Osnabrugge
 

More from Rene Van Osnabrugge (6)

VS Live Las Vegas - When Down is not good enough - SRE on Azure
VS Live Las Vegas - When Down is not good enough - SRE on AzureVS Live Las Vegas - When Down is not good enough - SRE on Azure
VS Live Las Vegas - When Down is not good enough - SRE on Azure
 
VSLive Orlando 2019 - When "We are down" is not good enough. SRE on Azure
VSLive Orlando 2019 - When "We are down" is not good enough. SRE on AzureVSLive Orlando 2019 - When "We are down" is not good enough. SRE on Azure
VSLive Orlando 2019 - When "We are down" is not good enough. SRE on Azure
 
AllDayDevOps - Growing your DevOps Mindset
AllDayDevOps - Growing your DevOps MindsetAllDayDevOps - Growing your DevOps Mindset
AllDayDevOps - Growing your DevOps Mindset
 
When down is not good enough. SRE On Azure - PolarConf
When down is not good enough. SRE On Azure - PolarConfWhen down is not good enough. SRE On Azure - PolarConf
When down is not good enough. SRE On Azure - PolarConf
 
When down is not good enough. SRE On Azure
When down is not good enough. SRE On AzureWhen down is not good enough. SRE On Azure
When down is not good enough. SRE On Azure
 
Growing your DevOps Mindset
Growing your DevOps MindsetGrowing your DevOps Mindset
Growing your DevOps Mindset
 

Recently uploaded

Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 

Recently uploaded (20)

WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIBusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - Kanchana
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 

VSLive Las Vegas - The Shift to Rugged DevOps

  • 1. 2/13/2020 1 THE SHIFT TO RUGGED DEVOPS SECURITY IN YOUR PIPELINES RENÉVAN OSNABRUGGE @RENEVO René van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com 3 4
  • 3. 2/13/2020 3 IMPOSSIBLE TO UNDERSTAND IMPOSSIBLE TO IMPLEMENT IMPOSSIBLE TO VALIDATE IMPOSSIBLE TO MAINTAIN THE BATTLE WITH CISO 7 8
  • 4. 2/13/2020 4 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! THE CLASSIC “SECURITY” MODEL 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! THE CLASSIC “SECURITY” MODEL 9 10
  • 6. 2/13/2020 6 CONFIDENTIALITY INTEGRITY AVAILABILITY “COMPLIANCE CHECKING IS THE OPPOSITE OF SECURITY ENGINEERING” James Wicket – “The DevOps Handbook” 13 15
  • 7. 2/13/2020 7 “Health is a state of complete physical, mental and social well-being, and not merely the absence of disease or infirmity.” World Health Organization, 1948 16 17
  • 8. 2/13/2020 8 THIS WAS ALL VERY SECURE! Unbreachable walls Indestructible Machines Watchful security guards UNTIL IT WAS NOT! 18 19
  • 9. 2/13/2020 9 COMPLIANT SECURE RUGGED ”FUNDAMENTALLY, IF SOMEBODY WANTS TO GET IN, THEY'RE GETTING IN…ACCEPT THAT. NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU THOUGHT YOU WERE OR NOT. NUMBER TWO, YOU ALMOST CERTAINLY ARE PENETRATED. WE NEED TO SHIFT FROM PREVENT TO ASSUME BREACH! ” Michael Hayden Former Director of NSA & CIA 20 21
  • 11. 2/13/2020 11 STATE OF DEVOPShttps://cloudplatformonline.com/2018-state-of-devops.html 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! WE NEED TO MOVE FROM MANUAL…. 24 25
  • 12. 2/13/2020 12 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Security Level - Current Desired Audit coming up ! Audit coming up ! ….TO AUTOMATED SECURITY IS THE NEXT SILO TO TEAR DOWN 26 27
  • 14. 2/13/2020 14 Make them part of your team! SHIFT LEFT SECURITYYOU BUILD IT YOU RUN IT Make them part of your team! SHIFT LEFT SECURITY 30 31
  • 15. 2/13/2020 15 CREATIVE THINKING HACKERS DO… NOT PLAY BY THE RULES ALREADY USE CONTINUOUS DELIVERY ARE ALWAYS AHEAD OF YOU USE ALL MEANS POSSIBLE THINK OUT OF THE BOX 32 33
  • 16. 2/13/2020 16 HOW DO WE DO THAT? IDENTIFY PREVENT REACT BUILD RUN NOT OR…BUT AND! IDENTIFY PREVENT REACT PREVENT BREACH ASSUME BREACH 34 35
  • 17. 2/13/2020 17 PREVENT BREACH CODE STORE BUILD DEPLOY RELEASE SECURE PIPELINES SECURE AND COMPLIANT ALL THE WAY 36 37
  • 18. 2/13/2020 18 Identity & Access Servers & Containers Firewalls & Network Passwords & Secrets Libraries & Licenses Application Code Build & Delivery Pipelines WHAT NEEDS TO BE SECURE? CODING PHASE “In the coding phase, an idea transforms into code” 38 39
  • 19. 2/13/2020 19 CODING PHASE - IDENTIFY • Bad coding practicesresulting in Technical Debt • Non Deployable code • Untested code and therefore unintended consequences • Passwords/Secretsetc. exposed in code WE ALL NEED SOME PROTECTION … FROM OURSELVES 40 41
  • 21. 2/13/2020 21 CODING PHASE - PREVENT • Secure Development Lifecycle (SDL) • Compiling / Syntax Checking • First stage - Static Code Analysis • Ruleset selection is key ! • Unit Tests • Secure Assets • Approvedtemplates • Secure shared Packages • Credential and Secret Scanning • Do we really need secrets? • Use of keyvaults 44 45
  • 22. 2/13/2020 22 CREDENTIAL SCANNING DEMO STORING PHASE “In the storing phase you make “your” code “our” code and ensure it is safe” 46 47
  • 23. 2/13/2020 23 STORING PHASE - IDENTIFY • Everything from Coding phase ! • Unknown committers to Git Repository • Suspicious code is committed to the code repository • Code is deployed without 4-eyes principle • Code contains secrets/passwordsetc. STORING PHASE - PREVENT • Protect Git Repo to ensure “pusher” is known • Use Pull Requests and protect the master branch • Run Continuous IntegrationBuilds • Enforce 4-eyes on every code change • Enforce CI checks on every code change • Static Code Analysis • CredScans • Compiling Syntax Checking • Unit Tests 48 49
  • 24. 2/13/2020 24 BUILD PHASE “In the build phase we transform the product from code and script into an immutable and versioned package” BUILD PHASE - IDENTIFY • Package can be unintentionallymodified • Code can contain vulnerabilities/ Technical Debt • Code can contain secrets • Code is untested/unstable • Unauthorized modification of build process • Code can use unsecure libraries • Code can use unlicensed / wrongly licensed libraries 50 51
  • 26. 2/13/2020 26 Components 80 – 90 % Original Code 10-20% (max) YOUR CODE VS. THEIR CODE COPYLEFT GPL LGPL AGPL Permissive Restrictive ANDTHENTHEREISLICENSING 54 55
  • 27. 2/13/2020 27 BUILD PHASE - PREVENT • Build activities from Storing Phase • Second stage - Static Code Analysis • Vulnerabilityand dependency scanning • License Scanning • Securely storing the Build Artifact • Protectingthe Build History DEPENDENCY MANAGEMENT DEMO 56 57
  • 28. 2/13/2020 28 DEPLOY / RELEASE PHASE “THIS IS THE PHASE WHERE THE ARTIFACTS MOVE FROM YOUR “PROTECTED” ENVIRONMENT INTO THE OPEN” DEPLOY / RELEASE PHASE - IDENTIFY • Unauthorized change in the release steps • Target environment accessible by multiple process • Deployed application has obvious vulnerabilities • Deployed application has unexpected consequences on availability etc. • Secrets are exposed during deployment process 58 59
  • 29. 2/13/2020 29 DEPLOY / RELEASE PHASE - PREVENT • Run Dynamic Security Tests on Infrastructure • Run Tests that require a deployed application • Monitor key metrics after deployment • Set up secure Endpointsto target environment • Secret Management in the pipeline • Build in a mechanism to separate functional from technical release • Enforce 4 eyes-principle on the release pipeline RELEASE GATES DEMO 60 61
  • 30. 2/13/2020 30 ASSUME BREACH / RUN IDENTIFY PREVENT REACT PREVENT BREACH ASSUME BREACH Monitor REACT MTTR Baselines Pipelines Alerts Continuous Delivery You build it / You run it Post Mortem Share Experience Rebuilt Everything as Code DETECT RESPOND RECOVER 62 63
  • 31. 2/13/2020 31 Monitor Detect Fix Bleeding Scan & Fix Locally Embed in Pipeline Set new Baseline Continuous Assurance DEMO DETECT , RESPOND, RECOVER 64 65
  • 33. 2/13/2020 33 RED TEAM vs. BLUE TEAM Red Team Model real-world attacks Identify gaps in security story Demonstrable impact Blue Team Exercises ability to detect & respond Enhances situational awareness Measures readiness & impact AND COMPLIANCY? 69 70
  • 34. 2/13/2020 34 COMPLIANT BY DEFAULT 1 2 3 AVAILABILITY INTEGRITY CONFIDENTIALITY 71 72
  • 35. 2/13/2020 35 René van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com René van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com Attributions Pictures: https://unsplash.com / https://www.flickr.com/photos/wocintechchat Gifs: https://giphy.com Music: https://open.spotify.com/user/rvanosnabrugge/playlist/ 0BWgsNPM5iwgk8ZGlMHeoY?si=l9-tV8FTR8S1J7AbKBz-KA Video: https://www.youtube.com/watch?v=47u3n1kX0wE Thanks: Geert, Marcel, Alex, Jasper, Xpirit 73 74