Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
●
●
●
●
●
“In the past 12 months at Gartner, how to securely integrate
security into DevOps — delivering DevSecOps — has been one of...
IT’S THEM PESKY HUMANS?
WE NEED TO MAKE THEM SMARTER.
RIGHT?
OWASP TOP 10
2007
Cross-site scripting (XSS)
Injection flaws
Malicious file execution
Insecure direct object reference
Cro...
OWASP TOP 10
2017 RC2
Injection
Broken authentication
Sensitive data exposure
XML External Entities (XXE)
Broken access co...
“Education and awareness are
not the only answer for security.
You need to design around
humans. ”
- Theresa Payton, forme...
EVOLVING RISK MANAGEMENT
Reuse
AutomationMicroservices Immutability
Pervasive access
Speed
Rapid tech churn
Flexible deploys
Containers
Software-de...
DevSecOps - Traditional and Cloud Native
# _
DevSecOps the open source way
APPLICATION PIPELINE
DEPLOYMENT INFRASTRUCTURE PIPELINE
DEVELOPMENT TEST ENVS. PRODUCTION
DE...
12
DEPLOYMENT
PIPELINE
Application Build Secure CI/CD Pipeline
Application
Build
Code
Quality
Scanning
Image
Build
Image
Scanning
Tests Productio...
Pipeline deployed securely
SysDig
Twistlock
SonatypeSonatype
DEPLOYMENTPIPELINE
15
SUPPLY CHAIN
● Community leadership
● Package selection
● Manual inspection
● Automated inspection
● Packaging guidelines
● Trusted bui...
ENTERPRISE REGISTRIES
● Geo-replication and HA
● Access controls
● Remote metadata inspection
● Automated builds
● Securit...
18
DEPLOYMENT
ENVIRONMENTS
IMMUTABLE CONTAINER INFRASTRUCTURE
● Minimal Linux distribution
● Optimized for running containers
● Decreased attack surf...
Security features include
● Role-based Access Controls with
LDAP and OAuth integration
● Secure communication
● Logging, M...
● Secure mechanism for holding sensitive data e.g.
○ Passwords and credentials
○ SSH Keys
○ Certificates
● Secrets are mad...
DEPLOYMENTENV.
NETWORK DEFENSE
NETWORK SERVICES
STORAGE SERVICES
APPLICATION NETWORKOPERATIONS NETWORKPUBLIC NETWORK
CLOUD...
23
LOGGING &
MONITORING
Logging
Events:
Cloud,
Host,
Container,
Application
Event and Log aggregation
Normalize and store
Visualize and Alert
MONI...
Monitoring
MONITORINGANDLOGGING
Time
Key , Value
● Secure the deployment pipeline
● Secure the supply chain
● Secure the deployment environment
● Log and monitor all the t...
Follow me on twitter at @ghaff
http://www.bitmasons.com
DevSecOps: The Open Source Way for CloudExpo 2018
Upcoming SlideShare
Loading in …5
×

DevSecOps: The Open Source Way for CloudExpo 2018

107 views

Published on

DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats.

The extensive use of modular open source software from third-parties, distributed development teams, and rapid iterative releases require a commitment to security and the adoption of security approaches that are continuous, adaptive, and heavily automated.

In this session, Red Hat Technology Evangelist Gordon Haff look at successful practices that distributed and diverse teams use to iterate rapidly. While still reacting quickly to threats and minimizing business risk. I'll discuss how a container platform can serve as the foundation for DevSecOps in your organization. I'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, I'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.

Published in: Software
  • Be the first to comment

  • Be the first to like this

DevSecOps: The Open Source Way for CloudExpo 2018

  1. 1. ● ● ● ● ●
  2. 2. “In the past 12 months at Gartner, how to securely integrate security into DevOps — delivering DevSecOps — has been one of the fastest-growing areas of interest of clients, with more than 600 inquiries across multiple Gartner analysts in that time frame” - Ian Head & Neil MacDonald, Dec 2017. https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/
  3. 3. IT’S THEM PESKY HUMANS? WE NEED TO MAKE THEM SMARTER. RIGHT?
  4. 4. OWASP TOP 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  5. 5. OWASP TOP 10 2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  6. 6. “Education and awareness are not the only answer for security. You need to design around humans. ” - Theresa Payton, former White House CIO and star of Hunted. Nov. 2018
  7. 7. EVOLVING RISK MANAGEMENT
  8. 8. Reuse AutomationMicroservices Immutability Pervasive access Speed Rapid tech churn Flexible deploys Containers Software-defined MANA MANAGED RISK Dev Ops
  9. 9. DevSecOps - Traditional and Cloud Native # _
  10. 10. DevSecOps the open source way APPLICATION PIPELINE DEPLOYMENT INFRASTRUCTURE PIPELINE DEVELOPMENT TEST ENVS. PRODUCTION DEV MONITORINGANDLOGGING SUPPLY CHAIN IMAGES & ARTIFACTS Write App Code Build App Unit Test Package App Deploy App Write Infa Code Build Images Validate Infra Automate Infra Deploy Infra OPS
  11. 11. 12 DEPLOYMENT PIPELINE
  12. 12. Application Build Secure CI/CD Pipeline Application Build Code Quality Scanning Image Build Image Scanning Tests Production Deployment DEPLOYMENTPIPELINE
  13. 13. Pipeline deployed securely SysDig Twistlock SonatypeSonatype DEPLOYMENTPIPELINE
  14. 14. 15 SUPPLY CHAIN
  15. 15. ● Community leadership ● Package selection ● Manual inspection ● Automated inspection ● Packaging guidelines ● Trusted builds Upstream Community projects Enterprise products Customers SUPPLY CHAIN SECURITY ● Quality assurance ● Certifications ● Signing ● Distribution ● Support ● Security updates/patches SUPPLYCHAIN
  16. 16. ENTERPRISE REGISTRIES ● Geo-replication and HA ● Access controls ● Remote metadata inspection ● Automated builds ● Security scans SKOPEO Image Repository Image Registry Host /var/lib/containers /var/lib/docker SUPPLYCHAIN
  17. 17. 18 DEPLOYMENT ENVIRONMENTS
  18. 18. IMMUTABLE CONTAINER INFRASTRUCTURE ● Minimal Linux distribution ● Optimized for running containers ● Decreased attack surface ● Over-the-air automated updates ● Bare-metal and cloud host configuration DEPLOYMENTENV.
  19. 19. Security features include ● Role-based Access Controls with LDAP and OAuth integration ● Secure communication ● Logging, Monitoring, Metrics SECURING THE CONTAINER PLATFORM 101010101010101010 101010101010101010 101010101010101010 10101011010 ● Multitenancy via Project namespaces and integrated SDN (Kube CNI plug-in) ● Integrated & extensible secrets management DEPLOYMENTENV.
  20. 20. ● Secure mechanism for holding sensitive data e.g. ○ Passwords and credentials ○ SSH Keys ○ Certificates ● Secrets are made available as ○ Environment variables ○ Volume mounts ○ Interaction with external systems (e.g. vaults) ● Encrypted in transit and at rest ● Never rest on the nodes SECRETS MANAGEMENT DEPLOYMENTENV.
  21. 21. DEPLOYMENTENV. NETWORK DEFENSE NETWORK SERVICES STORAGE SERVICES APPLICATION NETWORKOPERATIONS NETWORKPUBLIC NETWORK CLOUD PLATFORM SERVICES DNS LOAD BALANCING DIRECTORY SERVICES CONTAINER PLATFORM APPLICATION NODESMASTER NODES INFRASTRUCTURE NODESBASTION HOST Internet-accessible network that supports user workloads Private network for administration and operations Private network for inter-app and inter-container communications
  22. 22. 23 LOGGING & MONITORING
  23. 23. Logging Events: Cloud, Host, Container, Application Event and Log aggregation Normalize and store Visualize and Alert MONITORINGANDLOGGING
  24. 24. Monitoring MONITORINGANDLOGGING Time Key , Value
  25. 25. ● Secure the deployment pipeline ● Secure the supply chain ● Secure the deployment environment ● Log and monitor all the things ● Stop blaming the people
  26. 26. Follow me on twitter at @ghaff http://www.bitmasons.com

×