More Related Content

Recently uploaded(20)


Taras Bobalo – Application Security Automation with DevOps Tools and Clouds

  1. Application Security automation with DevOps tools and clouds OWASP Kyiv 2017
  2. Agenda • Problematics • SecOps vs Pentester needs • HW VM vs Container • How to select the tool • Docker as universal solution • Security of “Citadel” • Conclusion • Practice demonstration
  3. Problematics • Administration routine • Inventory • Configuration management • Backup and recovery • Classic enterprise or qualified team? • Auditor probes of server configs:)
  4. SecOps vs Pentester needs SecOps Pentester Admins Scanners Permanent with ticketing service! Temporary and scalable One more scan — one more damage:) Monitoring Fullest Terminal bells can be enough:) Zabbix our ALL Backups Full with strong plan and copies Evidences for report Sometimes we need it Data encryption Secured by vendor and checked by auditor Always if responsible for customer security Once more that keys entering…%( Cloud& Virtualization Own DC is preferred Ideal surround Automation NO, Enterprise… Any deployment with tools and scripts It’s for DevOps:) But automation is your time! For recovery, incident response, project time and money.
  5. HW VM vs Container VM Container Perfomance More resources are taken for each VM Sharing single kernel resources Management Need additional mgmt systems Simple scripting Provisioning OpenStack, … Native swarm, kubernetes Automation Different for each VM Can be done by Host machines Select depending on tasks and plans!
  6. How to select the tool Chef and Puppet are oldest, more established options, making them good for larger enterprises and environments that value maturity and stability over simplicity. Ansible and SaltStack are good options for those looking for fast and simple solutions while working in environments that don’t need support for quirky features or lots of OSs. If RedHat only distributions good option is Spacewalk Chef Puppet SaltStack Ansible Architecture Client/Server Client/Server Client/Server Client mode Client Only Parallelization Full Full Partial One-by-one Licensing Fully paid Open Paid Enterprise Open Paid Enterprise Open Paid Tower Container support Native docker module Docker by external module Native docker module Native docker module Cloud support Full in Enterprise Full in Enterprise Full Full
  7. SaltStack vs Ansible SaltStack Ansible Architecture salt-master(servers)/salt-minion(clients) over own TCP connection SSH access only from anywhere(configured host) to servers Speed Fast paralilysed execution Very slow for big scopes: server by server execution Code structure Mostly general modules for any platform (better tested and included on client side) Exact modules for each feature/platform (execution of imported code — more fails) Orchestration More featured and have monitoring: events&reactors — responses on minion events Very simple structuring of roles and playbooks Security Use TCP connections with own AES protocol using PyCrypto package Flexible SSH configuration and more tested protocol Sensitive data Secured master machine Secured admin’s or dedicated VM mashine Deployment Complex server deployment but very scalable and distributed Very simple installation, update, scaling and migration
  8. Docker as universal solution • Implement docker-engine at any cloud provider • HW&Security limitation now out-the-box • Kali on AWS?:) — import-export your container anywhere • Scanner limits — scale anywhere your own or pulled containers (Sn1per for recon for example) • Manage docker hosts&containers with saltstack or ansible • Need visualization — try kubernetes
  9. Main docker features • Rapid application deployment – containers include the minimal runtime requirements of the application, reducing their size and allowing them to be deployed quickly. • Portability across machines – an application and all its dependencies can be bundled into a single container that is independent from the host version of Linux kernel, platform distribution, or deployment model. This container can be transfered to another machine that runs Docker, and executed there without compatibility issues. • Version control and component reuse – you can track successive versions of a container, inspect differences, or roll-back to previous versions. Containers reuse components from the preceding layers, which makes them noticeably lightweight. • Sharing – you can use a remote repository to share your container with others. And it is also possible to configure your own private repository. • Lightweight footprint and minimal overhead – Docker images are typically very small, which facilitates rapid delivery and reduces the time to deploy new application containers. • Simplified maintenance – Docker reduces effort and risk of problems with application dependencies. • Security&resource limitations – Docker has flexible features of security and HW resources limitations and network segmentation.
  10. Security of “Citadel” • FDE as must (LUKS for key container at least) • Security monitoring (ossec+ELK or Splunk) • No ssh passwords — key access only • ACL limitation or VPN • ansible-vault and salt shadow.set_password
  11. Conclusion • DevOps is not only the next level of admins — it’s strong solution for any IT&Dev&Security