Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams

261 views

Published on

Presented at AFCEA West 2017:

http://www.westconference.org/West17/Public/SessionDetails.aspx?FromPage=Sessions.aspx&SessionID=5747&SessionDateID=371

Published in: Software
  • Be the first to comment

2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams

  1. 1. DevOpsSec: Building CI/CD with Security Teams Shawn Wells Chief Security Strategist Red Hat Pubic Sector shawn@redhat.com || 443-534-0130
  2. 2. NDA REQUIRED | JIM TYRRELL
  3. 3. 1/day RELEASES PER YEAR 1/hour
  4. 4. 9 INTRO TO CI/CD https://www.youtube.com/watch?v=65BnTLcDAJI source repository CI/CD engine dev container
  5. 5. 10 INTRO TO CI/CD https://www.youtube.com/watch?v=65BnTLcDAJI
  6. 6. Meanwhile, in Government: FISMA from an earlier era ● Written in 2003-2004 ● Pre GovCloud, C2S, MilCloud ● Pre DevOps, Infrastructure as Code ● Multi-year dev/ship cycles common ● Waterfall dominant ● IT was more manual a decade ago 11
  7. 7. https://www.telos.com/assets/Telos-AWS-white-paper.pdf Meanwhile, in Government: FISMA from an earlier era 12
  8. 8. 13 DevOps + Security
  9. 9. 14 Layered Packaging: Separation of Concerns Operations Architects Application developers
  10. 10. Public and Private Registries ● What security meta-data is available for your images? ● Are the images updated regularly? ● Are there access controls in the registry? How strong are they? 15 Registries: Where do you get your containers? ● Red Hat Container Registry ● Policies to control who can deploy which containers ● Certification Catalog ● Trusted content with security updates HOST OS CONTAINER OS RUNTIME APP HOST OS CONTAINER OS RUNTIME APP
  11. 11. You need to know . . . ● Will what’s inside your container compromise your infrastructure? ● Are there known vulnerabilities in the application layer? ● Are the runtime and operating system layers up to date? 16 Container Contents Matter CONTAINER OS RUNTIME APPLICATION
  12. 12. 17 Community created portfolio of tools and content to assess systems for known vulnerabilities. https://github.com/NSAgov Or direct: https://github.com/OpenSCAP
  13. 13. 18 https://github.com/nsagov
  14. 14. 19 RHEL7 STIG content, rebased in RHEL 7.3: ● 6,180 commits from 95 people ● 441,055 lines of code OpenSCAP interpreter contains: ● 6,811 commits from 74 people ● 157,775 lines of code “Security Button” RHEL7 Installer: ● 6 people, 90 days Shipping in RHEL 7: ● Intelligence Community: C2S and CS2 ● DoD: RHEL7 Vendor STIG ● Civilian: USGCB/OSPP ● Justice: FBI Criminal Justice Info. Systems (FBI CJIS)
  15. 15. 20
  16. 16. Atomic Scan Enables multiple container scanners 21 Red Hat container scanning API RED HAT CONTAINER SCANNING INTERFACE
  17. 17. Example Pipeline 22
  18. 18. demos!
  19. 19. Thank You
  20. 20. 25 Contact Info LinkedIn: https://www.linkedin.com/in/shawndwells/ EMail: shawn@redhat.com Cell: 443-534-0130 (US EST) Blog: https://shawnwells.io OpenSCAP Slides + Videos: https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References

×