Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
November	15,	2016
Multi	Security Checkpoints	on	
DevOps	platform
Hasan Yasar,
Technical Manager
Secure Lifecycle Solutions...
November	15,	2016
Copyright	2016	Carnegie	Mellon	University
This	material	is	based	upon	work	funded	and	supported	by	the	D...
November	15,	2016
Multi	Security Checkpoints
Fundamentals	- Process
November	15,	2016
What	Wikipedia	says…
• DevOps (a portmanteau of "development" and "operations”)
emphasizes communication...
November	15,	2016
Jez Humble,	https://youtu.be/L1w2_AY82WY
Dave	West,	http://sdtimes.com/analyst-watch-water-scrum-fall-is...
November	15,	2016
DevOps is	an	Extension	of	Agile	Thinking
• Embrace constant	
change
• Embed	Customer in	
team	to	interna...
November	15,	2016
Shared	Goals CollaborationBusiness	Needs
DevOps
November	15,	2016
Multiple Dimensions	of	DevOps	
Culture
• Developer and Ops collaborate
(Ops includes security)
• Develop...
November	15,	2016
Multi	Security Checkpoints
DevOps	Platform	- Platform
November	15,	2016
Continuous	Integration	(CI)	Model
November	15,	2016
Integration	and	
communication,	even	among	
tools,	is	the	key!
November	15,	2016
November	15,	2016
Human	actions/inputs	to	
the	software	
development	process
November	15,	2016
Actions	
performed	by	
autonomous	
systems
November	15,	2016
Multi	Security Checkpoints
Team	Integration	- People
November	15,	2016
DevOps	and	Security
November	15,	2016
DevOps	and	Security
November	15,	2016
Rugged{Secure}Dev{Sec}Ops
• DevOps	is	a		Risk	Mitigation		strategy,		built	on	Situational	
Awareness,	Au...
November	15,	2016
Team	Composition
Developers
• Features
• Quality	
Attributes
• Efficiency
• Performance
• Users
• Authen...
November	15,	2016
DevOps:	Multiple	Team	Integrations
November	15,	2016
DevOps:	Multiple	Team	Integrations	+	With	Security	Team
November	15,	2016
DevOps:	Multiple	Team	Integrations	+	With	Security	Team
November	15,	2016
Multi	Security Checkpoints
Platform	Security	in	DevOps
November	15,	2016
Evolution	of	software	development
• Custom	development	– context:
• Software	was	limited
§ Size
§ Functi...
November	15,	2016
Development	is	now	assembly
General	
Ledger
SQL	Server WebSphere
HTTP	server
XML	Parser
Oracle	DB
SIP	se...
November	15,	2016
Software	supply	chain	for	assembled	software	
• Complexity	of	acquisition,	development	and	
deployment
•...
November	15,	2016
Reducing	software	supply	chain	risk	factors
Software	supply	chain	risk	for	a	product	needs	to	be	reduced...
November	15,	2016
Supply	Chain	Hygiene:	Recommendations
• Supplier	security	commitment	evidence
• Supplier	employees	are	e...
November	15,	2016
• Development,	operations,	 teams	engineer	infrastructure	
and	application
• Operations	maintains	contin...
November	15,	2016
Platform	Security	Overview	with	Security	Highlights
• Development,	operations,	and	security	teams	engine...
November	15,	2016
Multi	Security Checkpoints
AppSec and	DevOps	- Integrating	Security	practices	into	DevOps
November	15,	2016
Dev
Lifecycle
November	15,	2016
Dev+Busines
Lifecycle
November	15,	2016
DevOps
Lifecycle
November	15,	2016
Where	are	opportunities	for	security
processes?
November	15,	2016
DevOps
Lifecycle
Threat	Modeling,		
Security	as	a	quality	attribute
November	15,	2016
DevOps
Lifecycle
Secure	/	hardened	
environments
November	15,	2016
DevOps
Lifecycle
Security-focused	code	review
November	15,	2016
DevOps
Lifecycle
Automated	Security	Testing	
(Static	analysis,	etc)
November	15,	2016
DevOps
Lifecycle
More	Security	Testing	(Pen	
Testing,	Fuzz	Testing)
November	15,	2016
DevOps
Lifecycle
Security	review	/	
acceptance	testing
November	15,	2016
Secure
DevOps
Lifecycle
November	15,	2016
Security	must	be	addressed	without	
breaking	the	rapid	delivery,	continuous	
feedback model
November	15,	2016
Secure
DevOps
Lifecycle
Devs
November	15,	2016
Secure
DevOps
Lifecycle
Devs
Constant	Feedback	to	Dev
November	15,	2016
Automation	(CI/CD)	and	Security
§ Not	everything	can	be,	needs	to	be,	or	should	be,	automated
§ Draw	per...
November	15,	2016
Post-Production	Monitoring		with	Security
Mindset
• Monitor	audit	logs	produced	by	CI/CD	for	
anomalies
...
November	15,	2016
Multi	Security Checkpoints
Practical	Security	integration	Scenarios		CI/CD
November	15,	2016
Secure
DevOps
Lifecycle
• Pausing	for	manual	steps	is	
typical
• Optimize	the	manual	work!
• Persist	the...
November	15,	2016
Scenario -1
November	15,	2016
Scenario -1
November	15,	2016
Scenario -2
November	15,	2016
Scenario -2
November	15,	2016
Scenario -3
November	15,	2016
Multi	Security Checkpoints
Demo
All	videos	are	in	SEI	YouTube	channel	
https://www.youtube.com/user/TheS...
November	15,	2016
Section (optional)
Picture
(optional)
More	on	SEI	DevOps	Blog
https://insights.sei.cmu.edu/devops
November	15,	2016
Contact	Information
Hasan	Yasar
Technical	Manager,	
Secure	Lifecycle	Solutions	
hyasar@sei.cmu.edu
@secu...
November	15,	2016
November	15,	2016
Upcoming SlideShare
Loading in …5
×

Multi Security Checkpoints on DevOps Platform

604 views

Published on

Hasan Yasar, Carnegie Mellon University

“Software security” often evokes negative feelings amongst developers because it is linked with challenges and uncertainty on rapid releases. The burgeoning concepts of DevOps can be applied to increase the security of developed applications. Applying these DevOps principles can have a big impact with resiliency and secure at multiple checkpoints. This talk explains how to do with live demo.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Multi Security Checkpoints on DevOps Platform

  1. 1. November 15, 2016 Multi Security Checkpoints on DevOps platform Hasan Yasar, Technical Manager Secure Lifecycle Solutions, Software Engineering Institute, Carnegie Mellon University
  2. 2. November 15, 2016 Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University. DM-0004210
  3. 3. November 15, 2016 Multi Security Checkpoints Fundamentals - Process
  4. 4. November 15, 2016 What Wikipedia says… • DevOps (a portmanteau of "development" and "operations”) emphasizes communication, collaboration, and integration between software developers and information technology (IT) operations personnel. [1] [1] http://en.wikipedia.org/wiki/DevOps
  5. 5. November 15, 2016 Jez Humble, https://youtu.be/L1w2_AY82WY Dave West, http://sdtimes.com/analyst-watch-water-scrum-fall-is-the-reality-of-agile/ Business Research Budget Document Water Development Scrum Integrate Test Release QA Operations Fall- -
  6. 6. November 15, 2016 DevOps is an Extension of Agile Thinking • Embrace constant change • Embed Customer in team to internalize expertise on requirements and domain Agile Embrace constant testing, delivery Embed Operations in team to internalize expertise on deployment and maintenance DevOps
  7. 7. November 15, 2016 Shared Goals CollaborationBusiness Needs DevOps
  8. 8. November 15, 2016 Multiple Dimensions of DevOps Culture • Developer and Ops collaborate (Ops includes security) • Developers and Operations support releases beyond deployment • Dev and Ops have access to stakeholders who understand business and mission goals Culture Process and Practices System and Architecture Automation and Measurement Automation/ Measurement • Automate repetitive and error- prone tasks (e.g., build, testing, and deployment maintain consistent environments) • Static analysis automation (architecture health) • Performance dashboards Process and Practices • Pipeline streamlining • Continuous-delivery practices (e.g., continuous integration; test automation; script-driven, automated deployment; virtualized, self-service environments) System and Architecture • Architected to support test automation and continuous- integration goals • Applications that support changes without release (e.g., late binding) • Scalable, secure, reliable, etc.
  9. 9. November 15, 2016 Multi Security Checkpoints DevOps Platform - Platform
  10. 10. November 15, 2016 Continuous Integration (CI) Model
  11. 11. November 15, 2016 Integration and communication, even among tools, is the key!
  12. 12. November 15, 2016
  13. 13. November 15, 2016 Human actions/inputs to the software development process
  14. 14. November 15, 2016 Actions performed by autonomous systems
  15. 15. November 15, 2016 Multi Security Checkpoints Team Integration - People
  16. 16. November 15, 2016 DevOps and Security
  17. 17. November 15, 2016 DevOps and Security
  18. 18. November 15, 2016 Rugged{Secure}Dev{Sec}Ops • DevOps is a Risk Mitigation strategy, built on Situational Awareness, Automation, and Repetition • But security is where a lot of DevOps implementations fall down • Goal: – Protecting private user data – Restricting access to data / systems – Protecting company data / IP – Standards compliance – Safeguarding disposition / transition
  19. 19. November 15, 2016 Team Composition Developers • Features • Quality Attributes • Efficiency • Performance • Users • Authentication • Authorization IT Ops • Deployment • Maintenance • Updates • Change policy • Failure • Data loss • Risk prevention QA • Testable • Issue tracking • Bug Reports • Usability • Help Desk Security Team • Data Privacy • Intrusion detection • Threat vectors • CVEs • Package security • Authentication • Authorization • Security Standards Compliance
  20. 20. November 15, 2016 DevOps: Multiple Team Integrations
  21. 21. November 15, 2016 DevOps: Multiple Team Integrations + With Security Team
  22. 22. November 15, 2016 DevOps: Multiple Team Integrations + With Security Team
  23. 23. November 15, 2016 Multi Security Checkpoints Platform Security in DevOps
  24. 24. November 15, 2016 Evolution of software development • Custom development – context: • Software was limited § Size § Function § Audience • Each organization employed developers • Each organization created their own software • Shared development – ISVs (COTS) – context: • Function largely understood § Automating existing processes • Grown beyond ability for using organization to develop economically • Outside of core competitiveness by acquirers Supply chain: practically none Supply chain: software supplier Old days… In these days…
  25. 25. November 15, 2016 Development is now assembly General Ledger SQL Server WebSphere HTTP server XML Parser Oracle DB SIP servlet container GIF library Like “Plug N Play” Note: hypothetical application composition Collective development – context: • Too large for single organization • Too much specialization • Too little value in individual components Supply chain: long
  26. 26. November 15, 2016 Software supply chain for assembled software • Complexity of acquisition, development and deployment • Visibility & awareness Source: “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04-678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
  27. 27. November 15, 2016 Reducing software supply chain risk factors Software supply chain risk for a product needs to be reduced to acceptable level Supplier follows practices that reduce supply chain risks Delivered or updated product is acceptably secure Product Distribution Operational Product Control Product is used in a secure manner Methods of transmitting the product to the purchaser guard again tampering Product Security Supplier Capability
  28. 28. November 15, 2016 Supply Chain Hygiene: Recommendations • Supplier security commitment evidence • Supplier employees are educated as to security engineering practices • Supplier follows suitable security design practices • Evaluate a product’s threat resistance • What product characteristics minimize opportunities to enter and change the product’s security characteristics? • Create a centralized private repositories of vetted 3rd party components for all developers • Establish good product distribution practices • Recognize that supply chain risks are accumulated • Monitor for new vulnerabilities and know where they are in the enterprise to fix • Minimize variation of components to make things easier (multiple versions, duplicated utility)
  29. 29. November 15, 2016 • Development, operations, teams engineer infrastructure and application • Operations maintains continuous delivery process • Developers write and push code • Continuous integration server internally deploys code • Docker run / VM provision • Build • Test • QA team evaluates the application for correctness • Continuous delivery process deploys code to production servers • Operations maintains production servers Platform Security Overview
  30. 30. November 15, 2016 Platform Security Overview with Security Highlights • Development, operations, and security teams engineer infrastructure and application • Operations maintains continuous delivery process • Developers write and push code • Code push triggers security analysis via security controller • Continuous integration server internally deploys code • Docker run / VM provision • Build • Test • Automated security scan • QA team evaluates the application for correctness • Continuous delivery process deploys code to production servers • Operations maintains production servers
  31. 31. November 15, 2016 Multi Security Checkpoints AppSec and DevOps - Integrating Security practices into DevOps
  32. 32. November 15, 2016 Dev Lifecycle
  33. 33. November 15, 2016 Dev+Busines Lifecycle
  34. 34. November 15, 2016 DevOps Lifecycle
  35. 35. November 15, 2016 Where are opportunities for security processes?
  36. 36. November 15, 2016 DevOps Lifecycle Threat Modeling, Security as a quality attribute
  37. 37. November 15, 2016 DevOps Lifecycle Secure / hardened environments
  38. 38. November 15, 2016 DevOps Lifecycle Security-focused code review
  39. 39. November 15, 2016 DevOps Lifecycle Automated Security Testing (Static analysis, etc)
  40. 40. November 15, 2016 DevOps Lifecycle More Security Testing (Pen Testing, Fuzz Testing)
  41. 41. November 15, 2016 DevOps Lifecycle Security review / acceptance testing
  42. 42. November 15, 2016 Secure DevOps Lifecycle
  43. 43. November 15, 2016 Security must be addressed without breaking the rapid delivery, continuous feedback model
  44. 44. November 15, 2016 Secure DevOps Lifecycle Devs
  45. 45. November 15, 2016 Secure DevOps Lifecycle Devs Constant Feedback to Dev
  46. 46. November 15, 2016 Automation (CI/CD) and Security § Not everything can be, needs to be, or should be, automated § Draw perimeters around things you trust and let that guide where human interaction and verification is needed § Keep track of security assessments § Regimented code management § Know what source code contributed to a build that’s in production so patches are fast and confident § Perform manual reviews as least as possible (NOT to block CD) § static analysis § (peer) Code review § Penn testing (or any security testing tools)
  47. 47. November 15, 2016 Post-Production Monitoring with Security Mindset • Monitor audit logs produced by CI/CD for anomalies • Monitor production applications to assure nothing changes outside of the normal change process • Monitor for new vulnerabilities / threats (a catalog of running components helps!)
  48. 48. November 15, 2016 Multi Security Checkpoints Practical Security integration Scenarios CI/CD
  49. 49. November 15, 2016 Secure DevOps Lifecycle • Pausing for manual steps is typical • Optimize the manual work! • Persist the output of any tools / work
  50. 50. November 15, 2016 Scenario -1
  51. 51. November 15, 2016 Scenario -1
  52. 52. November 15, 2016 Scenario -2
  53. 53. November 15, 2016 Scenario -2
  54. 54. November 15, 2016 Scenario -3
  55. 55. November 15, 2016 Multi Security Checkpoints Demo All videos are in SEI YouTube channel https://www.youtube.com/user/TheSEICMU/featured Or in Secure DevOps section https://www.youtube.com/playlist?list=PLSNlEg26NNpx3fYrfZokWuye9RVMCnCsc
  56. 56. November 15, 2016 Section (optional) Picture (optional) More on SEI DevOps Blog https://insights.sei.cmu.edu/devops
  57. 57. November 15, 2016 Contact Information Hasan Yasar Technical Manager, Secure Lifecycle Solutions hyasar@sei.cmu.edu @securelifecycle Web Resources (CERT/SEI) http://www.cert.org/ http://www.sei.cmu.edu/
  58. 58. November 15, 2016
  59. 59. November 15, 2016

×