Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecOps: The Open Source Way

123 views

Published on

Amsterdam, May 2018
Even DevOps purists are now embracing the DevSecOps term as they’ve recognized how siloed security often remains. Security still gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats. Distributed development teams and rapid iterative releases require a commitment to security approaches that are continuous, adaptive, and heavily automated.

In this session, Red Hat Technology Evangelist Gordon Haff will discuss successful practices for using a rich ecosystem of open source and other software to bake security into the development and deployment pipeline to both iterate quickly and minimize business risk. He’ll discuss how container platforms and other cloud-native tooling can serve as the foundation for DevSecOps. Finally, he’ll look at good practices for integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning.

Published in: Software
  • Be the first to comment

  • Be the first to like this

DevSecOps: The Open Source Way

  1. 1. DevSecOps: The Open Source Way Gordon Haff, Technology Evangelist, Red Hat @ghaff
  2. 2. Who am I? Technology Evangelist at Red Hat Reformed analyst Former big systems guy Photographer, hiker, traveler, etc. See also http://www.bitmasons.com
  3. 3. DevOps: Extending Agile ● Culture of collaboration valuing openness and transparency ● Automation of process from development through ongoing operations ● Platforms and tools drawing from innovative open source communities
  4. 4. Why DevSecOps? ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? ● Did people not understand the book? ● Are practitioners just skipping security anyway?
  5. 5. (Dysfunctional) silos Dev skills? Containerization New app dev patterns Rethinking the pipeline
  6. 6. Silos
  7. 7. SEC
  8. 8. An alternate view: Separation of concerns You do not, in fact, want to communicate with a bank teller more efficiently Build and operate a platform and get out of the way Source: Flickr/cc Ning Ham https://www.flickr.com/photos/ningham/525770546
  9. 9. Skills and security awareness
  10. 10. OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  11. 11. 2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  12. 12. 2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access PROCESS / TOOLS
  13. 13. Containerization
  14. 14. Containers change how we develop, deploy, and manage applications ● Sandboxed application processes on a shared Linux kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components ● Portable across environments INFRASTRUCTURE APPLICATIONS
  15. 15. A simplified container stack Red Hat Enterprise LinuxAnsible / CloudForms RHEL Container Runtime & Packaging (SELinux and SCC) Enterprise Container Host OCI-compliant runtime Partners Projects
  16. 16. Secure the platform Use a container orchestration platform with integrated security features including ● Role-based Access Controls with LDAP and OAuth integration ● Platform multi-tenant security ● Integrated & extensible secrets management ● Logging, Monitoring, Metrics ● Enable integration with the security ecosystem
  17. 17. Monitoring and metrics ● Log (most) things ● Alarm few things ● Establish relevant metrics ● Root cause analysis (reactive) ● Detect patterns/trends (proactive) ● Context and distributions matter ● Incentives drive behavior
  18. 18. New App Dev Patterns
  19. 19. What’s new? Microservices Rapid tech churn Pervasive access Speed! Iterative development Two-pizza teams Bounded context Single/limited function services External service interfaces Open source Public repos Component reuse Container builds
  20. 20. ● Do you trust the container source? ● Does the container force you to run as root? ● Microservices have special networking and governance needs ● Decouple build tools, container runtimes, and orchestration Container build, pipeline, and runtime concerns
  21. 21. …utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Enterprises consume an average 229,000 software components annually, of which 17,000 had a known security vulnerability Applications are assembled
  22. 22. Obligatory xkcd but even thoughtful integration pulls in a huge number of dependencies
  23. 23. ● Traffic Management ● Observability ● Policies and enforcement ● Service identity and security Istio and microservices: Connect, manage, and secure network of microservices (service mesh)
  24. 24. ● Authentication and authorization ● LDAP integration ● End-point access controls ● Rate limiting API management and microservices: Container platform and application APIs
  25. 25. Security must be continuous… and integrated throughout the entire application lifecycle SECURITY CHECKLIST Security policy, process & procedures DESIGN BUILD RUN MANAGE ADAPT
  26. 26. Rethinking the pipeline
  27. 27. A simplified CI/CD pipeline CI Private Registry External Images Trusted Content CD Unknown Content Git
  28. 28. Integrating security into CI/CD CI Private Registry External Images Trusted Content CD Unknown Content Git
  29. 29. Integrating security into CI/CD CI Private Registry External Images Trusted Content CD Unknown Content Git
  30. 30. Automated security throughout pipeline ● Integrate security testing into your build / CI process ● Use automated policies to flag builds with issues ● Trigger automated rebuilds ● Sign your custom container images ● Design for separation of concerns 33 UNIT TEST CODE QUAL VULN SCAN INT TEST QA UAT OPENSHIFT CI/CD PIPELINE (JENKINS) PROMOTE TO PROD ☒ PROMOTE TO UAT PROMOTE TO TEST IMAGE BUILD & DEPLOY MODIFY FOR BLACK DUCK
  31. 31. Glass half-empty. Glass half-full. “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
  32. 32. Thank You! Gordon Haff Technology Evangelist, Red Hat @ghaff Cloudy Chat podcast www.redhat.com www.bitmasons.com

×