SlideShare a Scribd company logo
NICTA Copyright 2014
Securing the
“Last Mile” of
the Software
Supply Chain
Len Bass, An Binh Tran, Paul
Rimba, Ralph Holz, Liming Zhu
NICTA Copyright 2014
Suppliers from all over
the world
The Software Supply Chain has a
Great Deal of Diversity
2
Operational
System
Open Source
In House
Proprietary
3rd party
NICTA Copyright 2014
Deployment pipeline is the “last mile”
of the supply chain
3
Pre-commit
tests
X
promote
to normal
production
Build Image
and Perform
Integration
tests
UAT / staging /
performance
tests
Deploy to
production
Commit
...
...
Pre-commit
tests
Commit
Developers
Suppliers from
all over the
world Operational
System
• The term “Last Mile” comes from telco and logistics.
• It refers to the difficulties in getting calls, goods, software to the
consumer from a distribution center.
• See http://blogs.atlassian.com/2014/04/practical-continuous-
deployment/ for a discussion of the “last mile” as it pertains to
software
Deployment pipeline
NICTA Copyright 2014
What are the security requirements and
threats to those requirements?
4
• The security requirement we will discuss in this
talk: the image deployed into operation is a valid
image.
• Threats:
– The integrity of the specification of the image has
been compromised
– The image built is not the image specified.
– The image deployed is not the image built.
NICTA Copyright 2014
Steps of our process for hardening the
deployment pipeline
5
• Identify security requirement to be satisfied
• Model steps in deployment pipeline that pertain to that
requirement.
• Identify components that implement the steps.
• Repeat until no vulnerabilities found
– Identify trusted and untrusted components
– Formally analyze model to identify vulnerabilities
– Refine and modify the model through adding trusted
components to resist vulnerabilities found,
• Implement necessary modifications to components
NICTA Copyright 2014
Security Requirements for the
Deployment Pipeline
6
Create an image of
the operational
system
Place an image into
production
The deployed
image is the image
that was created
earlier.
The created
image is the
desired image.
Security Requirements:
Pre-commit
tests
X
promote
to normal
production
Build Image
and Perform
Integration
tests
UAT / staging /
performance
tests
Deploy to
production
Commit
...
...
Pre-commit
tests
Commit
Developers
NICTA Copyright 2014
Trusted and untrusted components
7
• Divide components that are implied in the
deployment pipeline into
– Trusted
• Ideally these components are small enough to be verified via
code verification techniques.
• More likely they are trusted because they are widely used
and problems get reported and patched.
– Untrusted
• All other components
• The trusted components prevent the untrusted
components from violating a security
requirement.
NICTA Copyright 2014
Are there vulnerabilities?
8
Has the
specification been
compromised?
Is this the desired
image?
Image is built by Jenkins & Docker.
Do we trust Jenkins & Docker?
Both Jenkins and Docker are large
open source projects. We do not trust
them.
We need to refine the activity of “build
image” and decompose Jenkins/Docker
to identify trusted and untrusted
portions
NICTA Copyright 2014
Refine Step of “Build Image”
9
Jenkins builds a Docker image
Docker, in turn loads additional portions of
the image
Jenkins then deploys the image into an
environment.
What do we see?
• Docker protects user’s credentials
• Formal analysis identifies additional
files to be protected:
• Application artifacts
• Dockerfile (specification for
building image)
We do not trust Jenkins and Docker
NICTA Copyright 2014
Add image verification step
10
Dockerfile is encrypted.
New Step – Compute Docker
image checksum
Can Docker be trusted with this
step?
No. There are several reported
vulnerabilities.
We intend to create an integrity
checker solely to calculate the
checksum. This should be
formally verifiable.
NICTA Copyright 2014
Second security question
11
Deploy to
Production
Is this the image
that was created
earlier?
Deployment is managed by
Jenkins
The questions are
“Do we trust Jenkins?”
“Do we trust AWS
security mechanisms.?”
Answers: no and yes
We must refine model and
Jenkins
NICTA Copyright 2014
Refinement of deployment step
12
• Calculate checksum of created image.
• Verify that deployed image has same
checksum
• These operations are performed by
Jenkins.
• Do we trust Jenkins?
• No – must do more refinement
NICTA Copyright 2014
Summary
13
• Our contribution is the creation of an
engineering process to evaluate/modify the
design of a deployment pipeline
• Our process is based on
– identifying trusted components,
– Analyzing a process using formal methods
– Patching vulnerabilities by creating small trusted
components
– Refining until no vulnerabilities remain
• The specifics of what we have done depends on
the technologies we use but the process will
work for any collection of technologies

More Related Content

What's hot

Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Synopsys Software Integrity Group
 
CI/CD Overview
CI/CD OverviewCI/CD Overview
CI/CD Overview
An Nguyen
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
Knoldus Inc.
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins Team
Deborah Schalm
 
Continuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentContinuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous Deployment
Christopher Read
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
hugo lu
 
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
What is Jenkins | Jenkins Tutorial for Beginners | EdurekaWhat is Jenkins | Jenkins Tutorial for Beginners | Edureka
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
Edureka!
 
Jenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous DeliveryJenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous Delivery
Virendra Bhalothia
 
What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...
What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...
What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...
Edureka!
 
#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360
Derek Chan
 
Continuous deployment steve povilaitis
Continuous deployment   steve povilaitisContinuous deployment   steve povilaitis
Continuous deployment steve povilaitis
Steve Povilaitis
 
Building a CICD pipeline for deploying to containers
Building a CICD pipeline for deploying to containersBuilding a CICD pipeline for deploying to containers
Building a CICD pipeline for deploying to containers
Amazon Web Services
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
Eklove Mohan
 
Preparing for DevOps
Preparing for DevOpsPreparing for DevOps
Preparing for DevOps
Eklove Mohan
 
Why NXTware Remote for Jenkins
Why NXTware Remote for JenkinsWhy NXTware Remote for Jenkins
Why NXTware Remote for Jenkins
ecubemarketing
 
Integration Testing as Validation and Monitoring
 Integration Testing as Validation and Monitoring Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring
Melissa Benua
 
Scania: A DevOps Journey in an Automotive Enterprise  
Scania: A DevOps Journey in an Automotive Enterprise  Scania: A DevOps Journey in an Automotive Enterprise  
Scania: A DevOps Journey in an Automotive Enterprise  
Perforce
 
Continuous integration with Jenkins
Continuous integration with JenkinsContinuous integration with Jenkins
Continuous integration with Jenkins
Mohammad Hossein Rimaz
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
amscanne
 
Continuous Delivery Agiles 2014 Medellin
Continuous Delivery Agiles 2014 MedellinContinuous Delivery Agiles 2014 Medellin
Continuous Delivery Agiles 2014 Medellin
Diego Garber
 

What's hot (20)

Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
 
CI/CD Overview
CI/CD OverviewCI/CD Overview
CI/CD Overview
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins Team
 
Continuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentContinuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous Deployment
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
 
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
What is Jenkins | Jenkins Tutorial for Beginners | EdurekaWhat is Jenkins | Jenkins Tutorial for Beginners | Edureka
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
 
Jenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous DeliveryJenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous Delivery
 
What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...
What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...
What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...
 
#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360
 
Continuous deployment steve povilaitis
Continuous deployment   steve povilaitisContinuous deployment   steve povilaitis
Continuous deployment steve povilaitis
 
Building a CICD pipeline for deploying to containers
Building a CICD pipeline for deploying to containersBuilding a CICD pipeline for deploying to containers
Building a CICD pipeline for deploying to containers
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
 
Preparing for DevOps
Preparing for DevOpsPreparing for DevOps
Preparing for DevOps
 
Why NXTware Remote for Jenkins
Why NXTware Remote for JenkinsWhy NXTware Remote for Jenkins
Why NXTware Remote for Jenkins
 
Integration Testing as Validation and Monitoring
 Integration Testing as Validation and Monitoring Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring
 
Scania: A DevOps Journey in an Automotive Enterprise  
Scania: A DevOps Journey in an Automotive Enterprise  Scania: A DevOps Journey in an Automotive Enterprise  
Scania: A DevOps Journey in an Automotive Enterprise  
 
Continuous integration with Jenkins
Continuous integration with JenkinsContinuous integration with Jenkins
Continuous integration with Jenkins
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
 
Continuous Delivery Agiles 2014 Medellin
Continuous Delivery Agiles 2014 MedellinContinuous Delivery Agiles 2014 Medellin
Continuous Delivery Agiles 2014 Medellin
 

Similar to Securing deployment pipeline

Improving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNetImproving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNet
Venkat Janardhanam, MS, MBA
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
End-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEnd-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environments
Etienne Tremel
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
Dr. Anish Cheriyan (PhD)
 
CI_CD_Demo.pptx
CI_CD_Demo.pptxCI_CD_Demo.pptx
CI_CD_Demo.pptx
TheGame26
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
Dr. Anish Cheriyan (PhD)
 
A Continuous Delivery Safety Net for Databases
A Continuous Delivery Safety Net for DatabasesA Continuous Delivery Safety Net for Databases
A Continuous Delivery Safety Net for Databases
IBM UrbanCode Products
 
DevOps for AI Apps
DevOps for AI AppsDevOps for AI Apps
DevOps for AI Apps
Richin Jain
 
Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?
Reuven Harrison
 
Self-Service Secure Test and Release Pipelines
Self-Service Secure Test and Release PipelinesSelf-Service Secure Test and Release Pipelines
Self-Service Secure Test and Release Pipelines
Salesforce Engineering
 
3 steps to hosted success
3 steps to hosted success3 steps to hosted success
3 steps to hosted success
VXSuite
 
Developer 2: Building A DevOps Toolchain
Developer 2: Building A DevOps ToolchainDeveloper 2: Building A DevOps Toolchain
Developer 2: Building A DevOps Toolchain
Inflectra
 
Open Source Compliance for DevOps - OSCON 2017
Open Source Compliance for DevOps - OSCON 2017Open Source Compliance for DevOps - OSCON 2017
Open Source Compliance for DevOps - OSCON 2017
Bianca Xue Jiang
 
GDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfGDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdf
James Anderson
 
Anchore Engine
Anchore EngineAnchore Engine
Anchore Engine
Knoldus Inc.
 
Migrate to microservices
Migrate to microservicesMigrate to microservices
Migrate to microservices
Andrey Trubitsyn
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
Eric Smalling
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
Amazon Web Services
 
Enterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using JenkinsEnterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using Jenkins
CollabNet
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman  deepak v - agile on steriod - dev ops led transformationHarman  deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformation
Xebia India
 

Similar to Securing deployment pipeline (20)

Improving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNetImproving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNet
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
End-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEnd-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environments
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
 
CI_CD_Demo.pptx
CI_CD_Demo.pptxCI_CD_Demo.pptx
CI_CD_Demo.pptx
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
 
A Continuous Delivery Safety Net for Databases
A Continuous Delivery Safety Net for DatabasesA Continuous Delivery Safety Net for Databases
A Continuous Delivery Safety Net for Databases
 
DevOps for AI Apps
DevOps for AI AppsDevOps for AI Apps
DevOps for AI Apps
 
Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?
 
Self-Service Secure Test and Release Pipelines
Self-Service Secure Test and Release PipelinesSelf-Service Secure Test and Release Pipelines
Self-Service Secure Test and Release Pipelines
 
3 steps to hosted success
3 steps to hosted success3 steps to hosted success
3 steps to hosted success
 
Developer 2: Building A DevOps Toolchain
Developer 2: Building A DevOps ToolchainDeveloper 2: Building A DevOps Toolchain
Developer 2: Building A DevOps Toolchain
 
Open Source Compliance for DevOps - OSCON 2017
Open Source Compliance for DevOps - OSCON 2017Open Source Compliance for DevOps - OSCON 2017
Open Source Compliance for DevOps - OSCON 2017
 
GDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfGDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdf
 
Anchore Engine
Anchore EngineAnchore Engine
Anchore Engine
 
Migrate to microservices
Migrate to microservicesMigrate to microservices
Migrate to microservices
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
Enterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using JenkinsEnterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using Jenkins
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman  deepak v - agile on steriod - dev ops led transformationHarman  deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformation
 

More from Len Bass

11 secure development
11  secure development 11  secure development
11 secure development
Len Bass
 
10 disaster recovery
10 disaster recovery  10 disaster recovery
10 disaster recovery
Len Bass
 
9 postproduction
9 postproduction 9 postproduction
9 postproduction
Len Bass
 
8 pipeline
8 pipeline 8 pipeline
8 pipeline
Len Bass
 
7 configuration management
7 configuration management 7 configuration management
7 configuration management
Len Bass
 
6 microservice architecture
6 microservice architecture6 microservice architecture
6 microservice architecture
Len Bass
 
5 infrastructure security
5 infrastructure security5 infrastructure security
5 infrastructure security
Len Bass
 
4 container management
4  container management4  container management
4 container management
Len Bass
 
3 the cloud
3 the cloud 3 the cloud
3 the cloud
Len Bass
 
1 virtual machines
1 virtual machines1 virtual machines
1 virtual machines
Len Bass
 
2 networking
2 networking2 networking
2 networking
Len Bass
 
Quantum talk
Quantum talkQuantum talk
Quantum talk
Len Bass
 
Icsa2018 blockchain tutorial
Icsa2018 blockchain tutorialIcsa2018 blockchain tutorial
Icsa2018 blockchain tutorial
Len Bass
 
Understanding blockchains
Understanding blockchainsUnderstanding blockchains
Understanding blockchains
Len Bass
 
What is a blockchain
What is a blockchainWhat is a blockchain
What is a blockchain
Len Bass
 
Architecture for the cloud deployment case study future
Architecture for the cloud deployment case study futureArchitecture for the cloud deployment case study future
Architecture for the cloud deployment case study future
Len Bass
 
Architecting for the cloud cloud providers
Architecting for the cloud cloud providersArchitecting for the cloud cloud providers
Architecting for the cloud cloud providers
Len Bass
 
Architecting for the cloud storage build test
Architecting for the cloud storage build testArchitecting for the cloud storage build test
Architecting for the cloud storage build test
Len Bass
 
Architecting for the cloud map reduce creating
Architecting for the cloud   map reduce creatingArchitecting for the cloud   map reduce creating
Architecting for the cloud map reduce creating
Len Bass
 
Architecting for the cloud storage misc topics
Architecting for the cloud storage misc topicsArchitecting for the cloud storage misc topics
Architecting for the cloud storage misc topics
Len Bass
 

More from Len Bass (20)

11 secure development
11  secure development 11  secure development
11 secure development
 
10 disaster recovery
10 disaster recovery  10 disaster recovery
10 disaster recovery
 
9 postproduction
9 postproduction 9 postproduction
9 postproduction
 
8 pipeline
8 pipeline 8 pipeline
8 pipeline
 
7 configuration management
7 configuration management 7 configuration management
7 configuration management
 
6 microservice architecture
6 microservice architecture6 microservice architecture
6 microservice architecture
 
5 infrastructure security
5 infrastructure security5 infrastructure security
5 infrastructure security
 
4 container management
4  container management4  container management
4 container management
 
3 the cloud
3 the cloud 3 the cloud
3 the cloud
 
1 virtual machines
1 virtual machines1 virtual machines
1 virtual machines
 
2 networking
2 networking2 networking
2 networking
 
Quantum talk
Quantum talkQuantum talk
Quantum talk
 
Icsa2018 blockchain tutorial
Icsa2018 blockchain tutorialIcsa2018 blockchain tutorial
Icsa2018 blockchain tutorial
 
Understanding blockchains
Understanding blockchainsUnderstanding blockchains
Understanding blockchains
 
What is a blockchain
What is a blockchainWhat is a blockchain
What is a blockchain
 
Architecture for the cloud deployment case study future
Architecture for the cloud deployment case study futureArchitecture for the cloud deployment case study future
Architecture for the cloud deployment case study future
 
Architecting for the cloud cloud providers
Architecting for the cloud cloud providersArchitecting for the cloud cloud providers
Architecting for the cloud cloud providers
 
Architecting for the cloud storage build test
Architecting for the cloud storage build testArchitecting for the cloud storage build test
Architecting for the cloud storage build test
 
Architecting for the cloud map reduce creating
Architecting for the cloud   map reduce creatingArchitecting for the cloud   map reduce creating
Architecting for the cloud map reduce creating
 
Architecting for the cloud storage misc topics
Architecting for the cloud storage misc topicsArchitecting for the cloud storage misc topics
Architecting for the cloud storage misc topics
 

Recently uploaded

Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 
Kubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale:  Going Multi-Cluster  with IstioKubernetes at Scale:  Going Multi-Cluster  with Istio
Kubernetes at Scale: Going Multi-Cluster with Istio
Severalnines
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.
Maitrey Patel
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Paul Brebner
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
Yara Milbes
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
Karya Keeper
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
kgyxske
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Peter Caitens
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
dakas1
 

Recently uploaded (20)

Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 
Kubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale:  Going Multi-Cluster  with IstioKubernetes at Scale:  Going Multi-Cluster  with Istio
Kubernetes at Scale: Going Multi-Cluster with Istio
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
 

Securing deployment pipeline

  • 1. NICTA Copyright 2014 Securing the “Last Mile” of the Software Supply Chain Len Bass, An Binh Tran, Paul Rimba, Ralph Holz, Liming Zhu
  • 2. NICTA Copyright 2014 Suppliers from all over the world The Software Supply Chain has a Great Deal of Diversity 2 Operational System Open Source In House Proprietary 3rd party
  • 3. NICTA Copyright 2014 Deployment pipeline is the “last mile” of the supply chain 3 Pre-commit tests X promote to normal production Build Image and Perform Integration tests UAT / staging / performance tests Deploy to production Commit ... ... Pre-commit tests Commit Developers Suppliers from all over the world Operational System • The term “Last Mile” comes from telco and logistics. • It refers to the difficulties in getting calls, goods, software to the consumer from a distribution center. • See http://blogs.atlassian.com/2014/04/practical-continuous- deployment/ for a discussion of the “last mile” as it pertains to software Deployment pipeline
  • 4. NICTA Copyright 2014 What are the security requirements and threats to those requirements? 4 • The security requirement we will discuss in this talk: the image deployed into operation is a valid image. • Threats: – The integrity of the specification of the image has been compromised – The image built is not the image specified. – The image deployed is not the image built.
  • 5. NICTA Copyright 2014 Steps of our process for hardening the deployment pipeline 5 • Identify security requirement to be satisfied • Model steps in deployment pipeline that pertain to that requirement. • Identify components that implement the steps. • Repeat until no vulnerabilities found – Identify trusted and untrusted components – Formally analyze model to identify vulnerabilities – Refine and modify the model through adding trusted components to resist vulnerabilities found, • Implement necessary modifications to components
  • 6. NICTA Copyright 2014 Security Requirements for the Deployment Pipeline 6 Create an image of the operational system Place an image into production The deployed image is the image that was created earlier. The created image is the desired image. Security Requirements: Pre-commit tests X promote to normal production Build Image and Perform Integration tests UAT / staging / performance tests Deploy to production Commit ... ... Pre-commit tests Commit Developers
  • 7. NICTA Copyright 2014 Trusted and untrusted components 7 • Divide components that are implied in the deployment pipeline into – Trusted • Ideally these components are small enough to be verified via code verification techniques. • More likely they are trusted because they are widely used and problems get reported and patched. – Untrusted • All other components • The trusted components prevent the untrusted components from violating a security requirement.
  • 8. NICTA Copyright 2014 Are there vulnerabilities? 8 Has the specification been compromised? Is this the desired image? Image is built by Jenkins & Docker. Do we trust Jenkins & Docker? Both Jenkins and Docker are large open source projects. We do not trust them. We need to refine the activity of “build image” and decompose Jenkins/Docker to identify trusted and untrusted portions
  • 9. NICTA Copyright 2014 Refine Step of “Build Image” 9 Jenkins builds a Docker image Docker, in turn loads additional portions of the image Jenkins then deploys the image into an environment. What do we see? • Docker protects user’s credentials • Formal analysis identifies additional files to be protected: • Application artifacts • Dockerfile (specification for building image) We do not trust Jenkins and Docker
  • 10. NICTA Copyright 2014 Add image verification step 10 Dockerfile is encrypted. New Step – Compute Docker image checksum Can Docker be trusted with this step? No. There are several reported vulnerabilities. We intend to create an integrity checker solely to calculate the checksum. This should be formally verifiable.
  • 11. NICTA Copyright 2014 Second security question 11 Deploy to Production Is this the image that was created earlier? Deployment is managed by Jenkins The questions are “Do we trust Jenkins?” “Do we trust AWS security mechanisms.?” Answers: no and yes We must refine model and Jenkins
  • 12. NICTA Copyright 2014 Refinement of deployment step 12 • Calculate checksum of created image. • Verify that deployed image has same checksum • These operations are performed by Jenkins. • Do we trust Jenkins? • No – must do more refinement
  • 13. NICTA Copyright 2014 Summary 13 • Our contribution is the creation of an engineering process to evaluate/modify the design of a deployment pipeline • Our process is based on – identifying trusted components, – Analyzing a process using formal methods – Patching vulnerabilities by creating small trusted components – Refining until no vulnerabilities remain • The specifics of what we have done depends on the technologies we use but the process will work for any collection of technologies