Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecOps: The Open Source Way

654 views

Published on

DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats.

In this session, we’ll look at successful practices that distributed and diverse teams use to iterate rapidly. We’ll discuss how a container platform can serve as the foundation for DevSecOps in your organization. We'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, we'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.

Published in: Technology
  • Be the first to comment

DevSecOps: The Open Source Way

  1. 1. DevSecOps: The Open Source Way Gordon Haff, Technology Evangelist, Red Hat @ghaff
  2. 2. ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? ● Did people not understand the book? ● Are practitioners just skipping security anyway? WHY DevSecOps?
  3. 3. Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
  4. 4. Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
  5. 5. But Now it’s 2017. Right?
  6. 6. ● A new silo ● Devs (often) don’t grok (even) traditional security ● Assembled applications and supply chains ● Security not integrated into pipeline What’s the Problem?
  7. 7. SEC
  8. 8. OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  9. 9. 2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  10. 10. 2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  11. 11. …utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Enterprises consume an average 229,000 software components annually, of which 17,000 had a known security vulnerability Applications are ‘assembled’...
  12. 12. A typical DevOps pipeline
  13. 13. How security integrates
  14. 14. ● Better organizations ● Containers ● Secured supply chain ● Secured pipeline ● Secured operations Opportunities! }Managed approach to risk
  15. 15. Better Organizations
  16. 16. Kids programming: Esti Alvarez cc license CULTURE of collaboration valuing openness and transparency
  17. 17. Culture = f (l, o, i, t, …) Where: l = leadership o = organization i = incentives t = trust … = many other things Open source offers guidance
  18. 18. Containers
  19. 19. What are containers? ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components Sys-Admins / Ops Developers It Depends on Who You Ask
  20. 20. Containers technical timeline LXC Initial release Aug ‘08 OpenShift online May ‘11 Docker Initial release Mar ‘13 OpenShift Enterprise 3.0 Jun‘ 15 Open Container Initiative Initial release, Buildah Jun ‘17 Moby Apr ‘17 Sep ‘17 CRI-O
  21. 21. Open source, leadership, and standards ● Docker/Moby ● Kubernetes/OpenShift ● OCI Specifications ● Cloud Native Technical Leadership ● Vendor/partner ecosystem The community landscape
  22. 22. ● Docker, Red Hat et al. June 2015 ● Two Specifications ● Runtime ○ How to run a “filesystem bundle” that is unpacked on disk ● Image Format ○ How to create an OCI Image that contains sufficient information to launch the application on the target platform Open Container Initiative (OCI)
  23. 23. “Containers are an easy way to get a reasonable percentage of security built in.” John Willis co-Author, DevOps Handbook ServerlessConf 2017
  24. 24. Manage Risk
  25. 25. MANA Reuse AutomationMicroservices Immutability Pervasive access Speed Rapid tech churn Flexible deploys Containers Software-defined MANAGED RISK Dev Ops
  26. 26. Securing the assets ● Building code ○ Watching for changes in how things get built ○ Signing the builds ● Built assets ○ Scripts, binaries, packages (RPMs), containers (OCI images), machine images (ISOs, etc.) ○ Registries (Service, Container, App) ○ Repositories (Local on host images assets) Safe at Titan Missile Museum https://upload.wikimedia.org/wikipedia/commons/5/59/Red_Safe%2C_Titan_Missile_Museum.jpg
  27. 27. Registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Who can push images to the registry?
  28. 28. ● Potentially lots of parallel builds ● Source code ● Where is it coming from? ● Who is it coming from? ● Supply Chain Tooling ● CI tools (e.g. Jenkins) ● Testing tools ● Scanning Tools (e.g. Black Duck) Securing the development process Boeing's Everett factory near Seattle https://upload.wikimedia.org/wikipedia/commons/c/c8/At_Boeing%27s_Everett_factory_near_Seattle_%289130160595%29.jpg Creative Commons
  29. 29. Ensure the application code is compliant Ensure the pipeline is not compromised Systematic, on-going, and automated Securing the development process Repo Scan Image Build Scan Dev Deploy Test
  30. 30. ● How do ensure that all these variations are working and supported together? ● Containers and container ecosystems help vendors to continuously secure their software Track third-party development technologies
  31. 31. ● Trusted registries and repos ● Signature authenticating and authorizing ● Image scanning ● Policies ● Ongoing assessment with automated remediation Securing the operations: Deployment Mission Control - Apollo 13 https://c1.staticflickr.com/4/3717/9460197822_9f6ab3f30c_b.jpg
  32. 32. ● Blue Green or A/B or Canary, continuous deployments ● Monitoring deployments ● Possibly multiple environments Securing the operations: Lifecycle
  33. 33. ● Log (most) things ● Alarm few things ● Establish relevant metrics ● Root cause analysis (reactive) ● Detect patterns/trends (proactive) ● Context and distributions matter ● Incentives drive behavior Securing the operations: Monitoring and metrics
  34. 34. “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” How are we doing? DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
  35. 35. Thank You! Gordon Haff Technology Evangelist, Red Hat @ghaff Cloudy Chat podcast www.redhat.com www.bitmasons.com

×