Putting Developers and IT-Pros in one team does not make it a DevOps team. And even when they work smoothly together there is always Security that needs to be addressed. Build and Release Pipelines take care of building and deploying your application, but are your pipelines secure? And the code that you are deploying? With many releases a day, security officers will not be able to verify each release. Rugged DevOps is all about securing your assets and your pipeline and really embed Security in to your DevOps process.
In this talk I will guide you through the concepts of Rugged DevOps, the risks companies are currently facing and talk about some strategies and tools which can help you embed security in to your DevOps processes.
You will learn:
About the concepts of Rugged DevOps
How to embed security in your pipelines
How to detect, respond and recover in production
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
VSLive Las Vegas - The Shift to Rugged DevOps
1. 2/13/2020
1
THE SHIFT TO RUGGED DEVOPS
SECURITY IN YOUR PIPELINES
RENÉVAN OSNABRUGGE
@RENEVO
René van Osnabrugge
Xpirit Netherlands
@renevo
rvanosnabrugge@xpirit.com
https://roadtoalm.com
3
4
7. 2/13/2020
7
“Health is a state of complete physical, mental
and social well-being, and not merely the
absence of disease or infirmity.”
World Health Organization, 1948
16
17
8. 2/13/2020
8
THIS WAS ALL VERY SECURE!
Unbreachable walls Indestructible Machines Watchful security guards
UNTIL IT WAS NOT!
18
19
9. 2/13/2020
9
COMPLIANT SECURE RUGGED
”FUNDAMENTALLY, IF SOMEBODY WANTS TO GET IN,
THEY'RE GETTING IN…ACCEPT THAT.
NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU
THOUGHT YOU WERE OR NOT.
NUMBER TWO, YOU ALMOST CERTAINLY ARE
PENETRATED.
WE NEED TO SHIFT FROM PREVENT TO ASSUME
BREACH! ”
Michael Hayden
Former Director of NSA & CIA
20
21
12. 2/13/2020
12
0
10
20
30
40
50
60
70
80
90
100
Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec
Security Level - Current Desired
Audit coming up ! Audit coming up !
….TO AUTOMATED
SECURITY IS THE NEXT SILO TO TEAR DOWN
26
27
18. 2/13/2020
18
Identity &
Access
Servers &
Containers
Firewalls &
Network
Passwords &
Secrets
Libraries &
Licenses
Application
Code
Build &
Delivery
Pipelines
WHAT NEEDS TO BE SECURE?
CODING PHASE
“In the coding phase, an idea transforms into code”
38
39
19. 2/13/2020
19
CODING PHASE - IDENTIFY
• Bad coding practicesresulting in Technical Debt
• Non Deployable code
• Untested code and therefore unintended consequences
• Passwords/Secretsetc. exposed in code
WE ALL NEED SOME PROTECTION …
FROM OURSELVES
40
41
23. 2/13/2020
23
STORING PHASE - IDENTIFY
• Everything from Coding phase !
• Unknown committers to Git Repository
• Suspicious code is committed to the code repository
• Code is deployed without 4-eyes principle
• Code contains secrets/passwordsetc.
STORING PHASE - PREVENT
• Protect Git Repo to ensure “pusher” is known
• Use Pull Requests and protect the master branch
• Run Continuous IntegrationBuilds
• Enforce 4-eyes on every code change
• Enforce CI checks on every code change
• Static Code Analysis
• CredScans
• Compiling Syntax Checking
• Unit Tests
48
49
24. 2/13/2020
24
BUILD PHASE
“In the build phase we transform the product from code and
script into an immutable and versioned package”
BUILD PHASE - IDENTIFY
• Package can be unintentionallymodified
• Code can contain vulnerabilities/ Technical Debt
• Code can contain secrets
• Code is untested/unstable
• Unauthorized modification of build process
• Code can use unsecure libraries
• Code can use unlicensed / wrongly licensed libraries
50
51
28. 2/13/2020
28
DEPLOY / RELEASE PHASE
“THIS IS THE PHASE WHERE THE ARTIFACTS MOVE FROM YOUR
“PROTECTED” ENVIRONMENT INTO THE OPEN”
DEPLOY / RELEASE PHASE - IDENTIFY
• Unauthorized change in the release steps
• Target environment accessible by multiple process
• Deployed application has obvious vulnerabilities
• Deployed application has unexpected consequences on availability
etc.
• Secrets are exposed during deployment process
58
59
29. 2/13/2020
29
DEPLOY / RELEASE PHASE - PREVENT
• Run Dynamic Security Tests on Infrastructure
• Run Tests that require a deployed application
• Monitor key metrics after deployment
• Set up secure Endpointsto target environment
• Secret Management in the pipeline
• Build in a mechanism to separate functional from technical release
• Enforce 4 eyes-principle on the release pipeline
RELEASE GATES
DEMO
60
61
30. 2/13/2020
30
ASSUME BREACH / RUN
IDENTIFY PREVENT REACT
PREVENT BREACH ASSUME BREACH
Monitor
REACT
MTTR
Baselines Pipelines
Alerts Continuous Delivery
You build it / You run it
Post Mortem
Share Experience
Rebuilt
Everything as Code
DETECT RESPOND RECOVER
62
63
33. 2/13/2020
33
RED TEAM vs. BLUE TEAM
Red
Team
Model
real-world attacks
Identify gaps
in security story
Demonstrable
impact
Blue
Team
Exercises ability
to detect & respond
Enhances
situational
awareness
Measures readiness
& impact
AND COMPLIANCY?
69
70