SlideShare a Scribd company logo

PUTTING THE SEC INTO DEVOPS WITH ALGOSEC

M
Maytal Levi

Putting the Sec into DevOps DevOps enables companies to deliver innovations faster to market. But with multiple functional teams collaborating on development, and so many moving parts, security is often left out of the DevOps process and then tacked on at the end - delaying deployment into production and negating many of the benefits of DevOps. Presented by renowned industry expert Prof. Avishai Wool, this new technical webinar will cover best practices for incorporating security into the DevOps lifecycle. This insight will help ensure better collaboration between security and the development teams right from the start and reduce the time, cost and risk of deploying applications into production. In this webinar Professor Wool will cover how to: • Identify and map existing applications and their connectivity flows to establish a baseline • Adjust application connectivity for each stage of the DevOps lifecycle – without coding • Automatically deploy connectivity throughout the development lifecycle using templates • Proactively assess risk and compliance throughout the DevOps process • Manage and maintain security in the production environment

Technology
1 of 54
Download to read offline
PUTTING THE SEC INTO DEVOPS Prof. Avishai Wool
AGENDA • Introduction: DevOps and Network Security • Ops + Security scenarios: Pitfalls and Tips • Dev + Security scenarios • DevOps with AlgoSec • Continuous integration with AlgoSec 2
WHAT’S THE MOTIVATION • Network connectivity and security is a painful bottleneck in the application delivery pipeline • Accelerate application delivery by automating network connectivity processing • Human intervention only when required • Visibility into application connectivity requirements is important for Network and Security teams • Security, full audit trail and continuous compliance must be built into the process 3
DEVOPS CYCLE • Develop (Programmers in R&D) • New application • New functionalities in an existing application • Test • Deploy (Ops) • Add capacity to an existing application • New deployment targets • Production 4
NO APPLICATION IS AN ISLAND Applications have connectivity requirements • Human users • Insiders • Remote sites and road warriors • Outsourcers • Business partners • Outsiders • Internal resources (DB, API to other applications, …) • Infrastructure resources (DNS, backup, authentication, …) • Business partner resources • Internet resource 5
NETWORK SEGMENTATION • Separate environments for Dev/Test/Pre-production/Production • Network security policies must allow the necessary traffic • Changes to applications that modify connectivity requirements must be implemented in network security policies • … so you need DevSecOps 6
TIGHTER SECURITY IN PROD DevelopmentTest Production Front Production Backend Pre-Production Test & Pre-Production environments: servers all in one security zone Production servers in several security zones 7
OPS + SECURITY SCENARIOS: PITFALLS AND TIPS
ADDING CAPACITY • Typically only Ops involved • Typically only relevant to Production environment • Add another • Web server to the web farm • Compute engine to the Compute cluster • Etc. • New clone has the same role as existing clones • No need for another security review – all pre-approved 9
SOUTHBOUND TRAFFIC: LOAD BALANCER • Load balancer in front of the web farm • Upstream security policies written using “Virtual IP” / “Virtual Server name” Result: • Add new server to the farm • Update load balancer configuration to use the new resource • No need to touch security policies Load Balancer DevTest Prod Front Prod Back Pre-Prod 10
EAST/WEST TRAFFIC • Need to connect to/accept connection from/other systems • Management connections • Access to internal/partner/Internet resources • Resources in other network segments • Connections flow across security zones • Load balancer does not help: need to differentiate between clones DevTest Prod Front Prod Back Pre-Prod Firewall 11
EAST/WEST TRAFFIC – SOLUTION A • Careful IP address allocation! • Discipline: • All clones have IP addresses in the same Subnet / Range / VLAN / VPC • Security policy rules allow traffic to/from whole Subnet Result: • Add new server to the farm • Ensure its IP address is in the correct Subnet / Range • No need to touch Security Policies 12
ADDRESS ALLOCATION – PROPERTIES Pro: works with all filtering technologies Con: • Pre-allocate IP addresses for each server class • Need to predict maximal capacity 13
EAST/WEST TRAFFIC – SOLUTION B • Use object groups! • Discipline: • Filtering devices have a network object group for each server class • Security policy rules allow traffic to/from object group Result: • Add new server to the farm • Add its IP address to the correct object group • No need to touch security policies rules – object change is sufficient  14
OBJECT GROUPS – PROPERTIES Pros: • Clones can have arbitrary IP addresses • No address pre-allocation • No need to predict maximal capacity Cons: • Need to touch object definitions on security devices • Goal: zero-touch orchestration, with audit trail • Requires filtering devices that support object groups • Router ACLs and cloud providers “Security Groups” have limitations 15
DEV + SECURITY SCENARIOS
DEVOPS WITHOUT “SEC” FAILURES • Developers add new functionality to an application • Everything works in Test and Pre-Production environments • Push new version to Production  Fail! 17
WHAT WENT WRONG? • Remember “No application is an island” • New functionality includes new connectivity flows • Dev didn’t document the new flows • Possibly didn’t realize new connectivity was required • Relaxed security policy in Dev, Test, Pre-Production environments allows connectivity • Maybe the resource replica/placeholder is inside the same zone? • Application works in Test: no need for Sec involvement – wrong! 18
DOCUMENT THE APPLICATION FLOWS • Maintain a repository recording all the flows required by each application • For each flow record, at least: • Source and Destination IP addresses • Services and network-applications in use • Automation Tools: • Modify the application record whenever new functionality adds flows • Add security review and approval for new flows during Dev cycle 19
TIP: TIGHTEN SECURITY AROUND TEST • Place filtering devices around the Pre-Production environment • Apply the tight security policy of Production • Not the loose policy of Dev! Result: • Dev forgets to document new flows or • Does not realize there is a new flow • Failure will happen in Pre-Production environment – as desired • … triggering Sec review earlier in the cycle DevTest Prod Front Prod Back Pre-Prod 20
MULTIPLE INSTANCES OF APPLICATION’S RECORD • Application’s flows in Dev / Test / Pre-Prod / Prod have • Same services (“SQL”, “HTTPS”, …) • Same logical structure (“Application Logic server connects to DB”) • Different IP addresses: Test DB is different from Prod DB • Maintain separate instances of the application’s record: • Dev (“Dev-Application-logic-server connects to Dev-DB”) • Test (“Test-Application-logic-server connects to Test-DB”) • Pre-Prod (“Pre-prod-Application-logic-server connects to Pre-Prod-DB”) • Prod (“Prod-Application-logic-server connects to Prod-DB”) 21
LIFECYCLE: MIGRATE BETWEEN STAGES • Pushing application version (e.g. from Pre-Prod to Production): • Provision workloads, deploy code, … • … Don’t forget to update the security policies protecting the next stage! • Not a simple copy! • Maintain a mapping: • Dev-DB  Test-DB • When deploying security rules, replace all Pre-Prod-DB by Prod-DB 22
DEVOPS WITH ALGOSEC
APPLICATION FLOW REPOSITORY: BUSINESSFLOW For all applications, maintain record of: • Network flows • Contact information • Connectivity status • Change history and activity log • Risk and vulnerability information • Initiate DevOps-led changes from UI or from API 24
SCENARIO: NEW APPLICATION ROLLOUT Background: • New application going live • All testing in pre-production environment completed successfully • Connectivity flows for pre-production documented in BusinessFlow Current task: • Configure security policies to allow connectivity in Production 29
• Move: if application will no longer have a staging environment • Clone: retain both staging and production environments
Map Pre-Production to Production servers
#4388 BusinessFlowChangeRequestfor GameStop Central - Production
#4388 BusinessFlowChangeRequestfor GameStop Central - Production
#4388 BusinessFlowChangeRequestfor GameStop Central - Production
ZERO-TOUCH All workflow steps can be automated (with controls & audit): • Automatically accept security devices to update • Automatically accept risk check (if risks below a defined threshold) • Automatically implement on devices (“ActiveChange”) 43
CONTINUOUS INTEGRATION WITH ALGOSEC
Deploy DEVOPS PIPELINE Developer commits code Compile & Package Unit Tests Test environments Integration Performance Bring up test environments Connectivity Tests + Open + Document Run all tests Production45
CI: CONNECTIVITY TEST PIPELINE (ZOOM IN) Application Connectivity .json Code BusinessFlow FireFlow Changed ? Yes No Test connectivity Yes Success Check status in Business Flow No Pre-approved – automatic implementation Requires security approval Fail 46
APP DEVELOPMENT • Developer maintains a json file describing application connectivity requirements in test and production environments • Commit with code • Alternatively, json automatically derived from puppet during test environment bring-up ConnectivityRequirements.json { “flow1”: { “source”: “10.20.1.4”, “destination”: “8.8.8.8”, “service”: “http”, “description”: “web connectivity to Google” }, “flow2”: { “source”: “10.20.1.4”, “destination”: “10.20.5.112”, “service”: “tcp/5432”, “description”: “connectivity to PostgreSQL DB” } } 47
CI UPDATES ALGOSEC • If connectivity requirements change - CI system (Jenkins, etc.) uses AlgoSec plugin to update AlgoSec • AlgoSec BusinessFlow calculates required changes and opens a Change Request with AlgoSec FireFlow 48
CONNECTIVITY CHECK • AlgoSec FireFlow calculates the network path and checks which security policies need to be updated (if any) • If connectivity already allowed -> Return “Success” 49
OPEN BLOCKED CONNECTIVITY • If connectivity not allowed -> go through automatic change process • Find relevant firewalls and policies, perform “what-if” risk analysis • If no risks (pre-approved connectivity, not breaking compliance) -> continue with zero-touch • Push changes to relevant firewalls and routers • Multiple vendors, physical or virtual, on-prem, SDN or cloud • -> Return “Success” ACI 50
WHAT JUST HAPPENED HERE • High percentage of application changes – automatically processed • Either already works, or pre-approved and immediately implemented • When manual security approval is required – Change Request automatically opened, with relevant application context • Application connectivity requirements – automatically updated • Full application context and visibility – for infrastructure changes, security incidents, network or server migrations, maintenance, etc. • Continuous compliance is retained • Security has full control over policy and approvals • Full audit trail and documentation of changes 51
THE BOTTOM LINE • More agile application development and delivery cycles • Security is no longer a bottleneck • App developers, DevOps and Security all save time and work thanks to automation 52
MORE RESOURCES 53
Thank you! Questions can be emailed to marketing@algosec.com

Recommended

Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionAlgosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionMaytal Levi
 
DevSecOps: Putting the Sec into the DevOps
DevSecOps: Putting the Sec into the DevOpsDevSecOps: Putting the Sec into the DevOps
DevSecOps: Putting the Sec into the DevOpsshira koper
 
Create and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesCreate and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesAlgoSec
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Maytal Levi
 
AlgoSec Application Migration Webinar
AlgoSec Application Migration WebinarAlgoSec Application Migration Webinar
AlgoSec Application Migration WebinarMaytal Levi
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondAlgoSec
 
5 things you didnt know you could do with security policy management
5 things you didnt know you could do with security policy management5 things you didnt know you could do with security policy management
5 things you didnt know you could do with security policy managementAlgoSec
 
Migrating and Managing Security Policies in a Segmented Data Center
Migrating and Managing Security Policies in a Segmented Data CenterMigrating and Managing Security Policies in a Segmented Data Center
Migrating and Managing Security Policies in a Segmented Data CenterAlgoSec
 

Recommended

Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionAlgosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionMaytal Levi
 
DevSecOps: Putting the Sec into the DevOps
DevSecOps: Putting the Sec into the DevOpsDevSecOps: Putting the Sec into the DevOps
DevSecOps: Putting the Sec into the DevOpsshira koper
 
Create and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesCreate and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesAlgoSec
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Maytal Levi
 
AlgoSec Application Migration Webinar
AlgoSec Application Migration WebinarAlgoSec Application Migration Webinar
AlgoSec Application Migration WebinarMaytal Levi
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondAlgoSec
 
5 things you didnt know you could do with security policy management
5 things you didnt know you could do with security policy management5 things you didnt know you could do with security policy management
5 things you didnt know you could do with security policy managementAlgoSec
 
Migrating and Managing Security Policies in a Segmented Data Center
Migrating and Managing Security Policies in a Segmented Data CenterMigrating and Managing Security Policies in a Segmented Data Center
Migrating and Managing Security Policies in a Segmented Data CenterAlgoSec
 
AWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAlgoSec
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
Managing application connectivity securely through a merger or acquisition – ...
Managing application connectivity securely through a merger or acquisition – ...Managing application connectivity securely through a merger or acquisition – ...
Managing application connectivity securely through a merger or acquisition – ...AlgoSec
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...AlgoSec
 
Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Maytal Levi
 
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance FiresLiraz Goldstein
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...AlgoSec
 
Taking the fire drill out of making firewall changes
Taking the fire drill out of making firewall changesTaking the fire drill out of making firewall changes
Taking the fire drill out of making firewall changesAlgoSec
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAlgoSec
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSAlgoSec
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationAlgoSec
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarAlgoSec
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)AlgoSec
 
Migrating and Managing Security in an AWS Environment- Best Practices
Migrating and Managing Security in an AWS Environment- Best PracticesMigrating and Managing Security in an AWS Environment- Best Practices
Migrating and Managing Security in an AWS Environment- Best Practicesshira koper
 
Cisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint WebinarCisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint WebinarAlgoSec
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementAlgoSec
 
Movin' On Up to the Cloud: How to Migrate your Application Connectivity
Movin' On Up to the Cloud: How to Migrate your Application ConnectivityMovin' On Up to the Cloud: How to Migrate your Application Connectivity
Movin' On Up to the Cloud: How to Migrate your Application Connectivityshira koper
 
SDN's managing security across the virtual network final
SDN's managing security across the virtual network finalSDN's managing security across the virtual network final
SDN's managing security across the virtual network finalAlgoSec
 
Managing Application Connectivity in the World of Network Security
Managing Application Connectivity in the World of Network SecurityManaging Application Connectivity in the World of Network Security
Managing Application Connectivity in the World of Network Securityshira koper
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdfNilesh Gule
 
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonBetter Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonVMware Tanzu
 

More Related Content

What's hot

AWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAlgoSec
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
Managing application connectivity securely through a merger or acquisition – ...
Managing application connectivity securely through a merger or acquisition – ...Managing application connectivity securely through a merger or acquisition – ...
Managing application connectivity securely through a merger or acquisition – ...AlgoSec
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...AlgoSec
 
Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Maytal Levi
 
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance FiresLiraz Goldstein
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...AlgoSec
 
Taking the fire drill out of making firewall changes
Taking the fire drill out of making firewall changesTaking the fire drill out of making firewall changes
Taking the fire drill out of making firewall changesAlgoSec
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAlgoSec
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSAlgoSec
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationAlgoSec
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarAlgoSec
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)AlgoSec
 
Migrating and Managing Security in an AWS Environment- Best Practices
Migrating and Managing Security in an AWS Environment- Best PracticesMigrating and Managing Security in an AWS Environment- Best Practices
Migrating and Managing Security in an AWS Environment- Best Practicesshira koper
 
Cisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint WebinarCisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint WebinarAlgoSec
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementAlgoSec
 
Movin' On Up to the Cloud: How to Migrate your Application Connectivity
Movin' On Up to the Cloud: How to Migrate your Application ConnectivityMovin' On Up to the Cloud: How to Migrate your Application Connectivity
Movin' On Up to the Cloud: How to Migrate your Application Connectivityshira koper
 
SDN's managing security across the virtual network final
SDN's managing security across the virtual network finalSDN's managing security across the virtual network final
SDN's managing security across the virtual network finalAlgoSec
 
Managing Application Connectivity in the World of Network Security
Managing Application Connectivity in the World of Network SecurityManaging Application Connectivity in the World of Network Security
Managing Application Connectivity in the World of Network Securityshira koper
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 

What's hot (20)

AWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’ts
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. Control
 
Managing application connectivity securely through a merger or acquisition – ...
Managing application connectivity securely through a merger or acquisition – ...Managing application connectivity securely through a merger or acquisition – ...
Managing application connectivity securely through a merger or acquisition – ...
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...
 
Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar
 
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
 
Taking the fire drill out of making firewall changes
Taking the fire drill out of making firewall changesTaking the fire drill out of making firewall changes
Taking the fire drill out of making firewall changes
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWS
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertification
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinar
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)
 
Migrating and Managing Security in an AWS Environment- Best Practices
Migrating and Managing Security in an AWS Environment- Best PracticesMigrating and Managing Security in an AWS Environment- Best Practices
Migrating and Managing Security in an AWS Environment- Best Practices
 
Cisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint WebinarCisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint Webinar
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
 
Movin' On Up to the Cloud: How to Migrate your Application Connectivity
Movin' On Up to the Cloud: How to Migrate your Application ConnectivityMovin' On Up to the Cloud: How to Migrate your Application Connectivity
Movin' On Up to the Cloud: How to Migrate your Application Connectivity
 
SDN's managing security across the virtual network final
SDN's managing security across the virtual network finalSDN's managing security across the virtual network final
SDN's managing security across the virtual network final
 
Managing Application Connectivity in the World of Network Security
Managing Application Connectivity in the World of Network SecurityManaging Application Connectivity in the World of Network Security
Managing Application Connectivity in the World of Network Security
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
 

Similar to PUTTING THE SEC INTO DEVOPS WITH ALGOSEC

15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdfNilesh Gule
 
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonBetter Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonVMware Tanzu
 
2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinarAlgoSec
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodologylaeshin park
 
Modernizing Java Apps with Docker
Modernizing Java Apps with DockerModernizing Java Apps with Docker
Modernizing Java Apps with DockerDocker, Inc.
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Mary Joy Sabal
 
Operating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud MicroservicesOperating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud MicroservicesNoriaki Tatsumi
 
Twelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureTwelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureSigfred Balatan Jr.
 
.NET Cloud-Native Bootcamp
.NET Cloud-Native Bootcamp.NET Cloud-Native Bootcamp
.NET Cloud-Native BootcampVMware Tanzu
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOpsEklove Mohan
 
Modernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectModernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectDevOps.com
 
A Bit of Everything Chef
A Bit of Everything ChefA Bit of Everything Chef
A Bit of Everything ChefMandi Walls
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxGrace Jansen
 
AzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementAzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementSergii Kryshtop
 
.NET microservices with Azure Service Fabric
.NET microservices with Azure Service Fabric.NET microservices with Azure Service Fabric
.NET microservices with Azure Service FabricDavide Benvegnù
 
CloudFest 2018 Hackathon Project Results Presentation - CFHack18
CloudFest 2018 Hackathon Project Results Presentation - CFHack18CloudFest 2018 Hackathon Project Results Presentation - CFHack18
CloudFest 2018 Hackathon Project Results Presentation - CFHack18Jeffrey J. Hardy
 
OpenStack Enabling DevOps
OpenStack Enabling DevOpsOpenStack Enabling DevOps
OpenStack Enabling DevOpsCisco DevNet
 
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsKube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsShikha Srivastava
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOpsAarno Aukia
 

Similar to PUTTING THE SEC INTO DEVOPS WITH ALGOSEC (20)

15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdf
 
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonBetter Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
 
2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodology
 
12-Factor Apps
12-Factor Apps12-Factor Apps
12-Factor Apps
 
Modernizing Java Apps with Docker
Modernizing Java Apps with DockerModernizing Java Apps with Docker
Modernizing Java Apps with Docker
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18
 
Operating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud MicroservicesOperating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud Microservices
 
Twelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureTwelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application Architecture
 
.NET Cloud-Native Bootcamp
.NET Cloud-Native Bootcamp.NET Cloud-Native Bootcamp
.NET Cloud-Native Bootcamp
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
 
Modernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectModernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-Architect
 
A Bit of Everything Chef
A Bit of Everything ChefA Bit of Everything Chef
A Bit of Everything Chef
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptx
 
AzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementAzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release Management
 
.NET microservices with Azure Service Fabric
.NET microservices with Azure Service Fabric.NET microservices with Azure Service Fabric
.NET microservices with Azure Service Fabric
 
CloudFest 2018 Hackathon Project Results Presentation - CFHack18
CloudFest 2018 Hackathon Project Results Presentation - CFHack18CloudFest 2018 Hackathon Project Results Presentation - CFHack18
CloudFest 2018 Hackathon Project Results Presentation - CFHack18
 
OpenStack Enabling DevOps
OpenStack Enabling DevOpsOpenStack Enabling DevOps
OpenStack Enabling DevOps
 
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsKube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

PUTTING THE SEC INTO DEVOPS WITH ALGOSEC

  • 1. PUTTING THE SEC INTO DEVOPS Prof. Avishai Wool
  • 2. AGENDA • Introduction: DevOps and Network Security • Ops + Security scenarios: Pitfalls and Tips • Dev + Security scenarios • DevOps with AlgoSec • Continuous integration with AlgoSec 2
  • 3. WHAT’S THE MOTIVATION • Network connectivity and security is a painful bottleneck in the application delivery pipeline • Accelerate application delivery by automating network connectivity processing • Human intervention only when required • Visibility into application connectivity requirements is important for Network and Security teams • Security, full audit trail and continuous compliance must be built into the process 3
  • 4. DEVOPS CYCLE • Develop (Programmers in R&D) • New application • New functionalities in an existing application • Test • Deploy (Ops) • Add capacity to an existing application • New deployment targets • Production 4
  • 5. NO APPLICATION IS AN ISLAND Applications have connectivity requirements • Human users • Insiders • Remote sites and road warriors • Outsourcers • Business partners • Outsiders • Internal resources (DB, API to other applications, …) • Infrastructure resources (DNS, backup, authentication, …) • Business partner resources • Internet resource 5
  • 6. NETWORK SEGMENTATION • Separate environments for Dev/Test/Pre-production/Production • Network security policies must allow the necessary traffic • Changes to applications that modify connectivity requirements must be implemented in network security policies • … so you need DevSecOps 6
  • 7. TIGHTER SECURITY IN PROD DevelopmentTest Production Front Production Backend Pre-Production Test & Pre-Production environments: servers all in one security zone Production servers in several security zones 7
  • 8. OPS + SECURITY SCENARIOS: PITFALLS AND TIPS
  • 9. ADDING CAPACITY • Typically only Ops involved • Typically only relevant to Production environment • Add another • Web server to the web farm • Compute engine to the Compute cluster • Etc. • New clone has the same role as existing clones • No need for another security review – all pre-approved 9
  • 10. SOUTHBOUND TRAFFIC: LOAD BALANCER • Load balancer in front of the web farm • Upstream security policies written using “Virtual IP” / “Virtual Server name” Result: • Add new server to the farm • Update load balancer configuration to use the new resource • No need to touch security policies Load Balancer DevTest Prod Front Prod Back Pre-Prod 10
  • 11. EAST/WEST TRAFFIC • Need to connect to/accept connection from/other systems • Management connections • Access to internal/partner/Internet resources • Resources in other network segments • Connections flow across security zones • Load balancer does not help: need to differentiate between clones DevTest Prod Front Prod Back Pre-Prod Firewall 11
  • 12. EAST/WEST TRAFFIC – SOLUTION A • Careful IP address allocation! • Discipline: • All clones have IP addresses in the same Subnet / Range / VLAN / VPC • Security policy rules allow traffic to/from whole Subnet Result: • Add new server to the farm • Ensure its IP address is in the correct Subnet / Range • No need to touch Security Policies 12
  • 13. ADDRESS ALLOCATION – PROPERTIES Pro: works with all filtering technologies Con: • Pre-allocate IP addresses for each server class • Need to predict maximal capacity 13
  • 14. EAST/WEST TRAFFIC – SOLUTION B • Use object groups! • Discipline: • Filtering devices have a network object group for each server class • Security policy rules allow traffic to/from object group Result: • Add new server to the farm • Add its IP address to the correct object group • No need to touch security policies rules – object change is sufficient  14
  • 15. OBJECT GROUPS – PROPERTIES Pros: • Clones can have arbitrary IP addresses • No address pre-allocation • No need to predict maximal capacity Cons: • Need to touch object definitions on security devices • Goal: zero-touch orchestration, with audit trail • Requires filtering devices that support object groups • Router ACLs and cloud providers “Security Groups” have limitations 15
  • 16. DEV + SECURITY SCENARIOS
  • 17. DEVOPS WITHOUT “SEC” FAILURES • Developers add new functionality to an application • Everything works in Test and Pre-Production environments • Push new version to Production  Fail! 17
  • 18. WHAT WENT WRONG? • Remember “No application is an island” • New functionality includes new connectivity flows • Dev didn’t document the new flows • Possibly didn’t realize new connectivity was required • Relaxed security policy in Dev, Test, Pre-Production environments allows connectivity • Maybe the resource replica/placeholder is inside the same zone? • Application works in Test: no need for Sec involvement – wrong! 18
  • 19. DOCUMENT THE APPLICATION FLOWS • Maintain a repository recording all the flows required by each application • For each flow record, at least: • Source and Destination IP addresses • Services and network-applications in use • Automation Tools: • Modify the application record whenever new functionality adds flows • Add security review and approval for new flows during Dev cycle 19
  • 20. TIP: TIGHTEN SECURITY AROUND TEST • Place filtering devices around the Pre-Production environment • Apply the tight security policy of Production • Not the loose policy of Dev! Result: • Dev forgets to document new flows or • Does not realize there is a new flow • Failure will happen in Pre-Production environment – as desired • … triggering Sec review earlier in the cycle DevTest Prod Front Prod Back Pre-Prod 20
  • 21. MULTIPLE INSTANCES OF APPLICATION’S RECORD • Application’s flows in Dev / Test / Pre-Prod / Prod have • Same services (“SQL”, “HTTPS”, …) • Same logical structure (“Application Logic server connects to DB”) • Different IP addresses: Test DB is different from Prod DB • Maintain separate instances of the application’s record: • Dev (“Dev-Application-logic-server connects to Dev-DB”) • Test (“Test-Application-logic-server connects to Test-DB”) • Pre-Prod (“Pre-prod-Application-logic-server connects to Pre-Prod-DB”) • Prod (“Prod-Application-logic-server connects to Prod-DB”) 21
  • 22. LIFECYCLE: MIGRATE BETWEEN STAGES • Pushing application version (e.g. from Pre-Prod to Production): • Provision workloads, deploy code, … • … Don’t forget to update the security policies protecting the next stage! • Not a simple copy! • Maintain a mapping: • Dev-DB  Test-DB • When deploying security rules, replace all Pre-Prod-DB by Prod-DB 22
  • 24. APPLICATION FLOW REPOSITORY: BUSINESSFLOW For all applications, maintain record of: • Network flows • Contact information • Connectivity status • Change history and activity log • Risk and vulnerability information • Initiate DevOps-led changes from UI or from API 24
  • 25.
  • 26.
  • 27.
  • 28.
  • 29. SCENARIO: NEW APPLICATION ROLLOUT Background: • New application going live • All testing in pre-production environment completed successfully • Connectivity flows for pre-production documented in BusinessFlow Current task: • Configure security policies to allow connectivity in Production 29
  • 30.
  • 31.
  • 32.
  • 33. • Move: if application will no longer have a staging environment • Clone: retain both staging and production environments
  • 34. Map Pre-Production to Production servers
  • 35.
  • 36.
  • 37.
  • 39.
  • 42.
  • 43. ZERO-TOUCH All workflow steps can be automated (with controls & audit): • Automatically accept security devices to update • Automatically accept risk check (if risks below a defined threshold) • Automatically implement on devices (“ActiveChange”) 43
  • 45. Deploy DEVOPS PIPELINE Developer commits code Compile & Package Unit Tests Test environments Integration Performance Bring up test environments Connectivity Tests + Open + Document Run all tests Production45
  • 46. CI: CONNECTIVITY TEST PIPELINE (ZOOM IN) Application Connectivity .json Code BusinessFlow FireFlow Changed ? Yes No Test connectivity Yes Success Check status in Business Flow No Pre-approved – automatic implementation Requires security approval Fail 46
  • 47. APP DEVELOPMENT • Developer maintains a json file describing application connectivity requirements in test and production environments • Commit with code • Alternatively, json automatically derived from puppet during test environment bring-up ConnectivityRequirements.json { “flow1”: { “source”: “10.20.1.4”, “destination”: “8.8.8.8”, “service”: “http”, “description”: “web connectivity to Google” }, “flow2”: { “source”: “10.20.1.4”, “destination”: “10.20.5.112”, “service”: “tcp/5432”, “description”: “connectivity to PostgreSQL DB” } } 47
  • 48. CI UPDATES ALGOSEC • If connectivity requirements change - CI system (Jenkins, etc.) uses AlgoSec plugin to update AlgoSec • AlgoSec BusinessFlow calculates required changes and opens a Change Request with AlgoSec FireFlow 48
  • 49. CONNECTIVITY CHECK • AlgoSec FireFlow calculates the network path and checks which security policies need to be updated (if any) • If connectivity already allowed -> Return “Success” 49
  • 50. OPEN BLOCKED CONNECTIVITY • If connectivity not allowed -> go through automatic change process • Find relevant firewalls and policies, perform “what-if” risk analysis • If no risks (pre-approved connectivity, not breaking compliance) -> continue with zero-touch • Push changes to relevant firewalls and routers • Multiple vendors, physical or virtual, on-prem, SDN or cloud • -> Return “Success” ACI 50
  • 51. WHAT JUST HAPPENED HERE • High percentage of application changes – automatically processed • Either already works, or pre-approved and immediately implemented • When manual security approval is required – Change Request automatically opened, with relevant application context • Application connectivity requirements – automatically updated • Full application context and visibility – for infrastructure changes, security incidents, network or server migrations, maintenance, etc. • Continuous compliance is retained • Security has full control over policy and approvals • Full audit trail and documentation of changes 51
  • 52. THE BOTTOM LINE • More agile application development and delivery cycles • Security is no longer a bottleneck • App developers, DevOps and Security all save time and work thanks to automation 52
  • 54. Thank you! Questions can be emailed to marketing@algosec.com