The document discusses the challenges of integrating security within DevOps practices, emphasizing the need for automation and a collaborative approach to overcome traditional security barriers. It highlights the importance of vulnerability management, continuous monitoring, and the implementation of secure, immutable systems to enhance cloud security. Additionally, it outlines strategies for effectively embedding security into development pipelines and improving communication between development, operations, and security teams.

1. DevSecOps: Taking a DevOps
Approach to Security
Alert Logic & Chef discuss overcoming security challenges in
DevOps

2. Before We Begin
Housekeeping
• Turn on your system’s sound to
hear the streaming presentation
• Questions? Submit them to the
presenter at anytime into the
question box
• The presentation slides will be
available to download from the
attachment tab after the webinar
• The webinar will be recorded
and published on BrightTalk
• Technical Problems? Click
“Help”
Agenda
• Security Challenges
• High Velocity IT
• Vulnerability Management
• Securing the Platform
• Continuous Monitoring
• Questions

3. Speaker Introduction
James Brown
• Director of Cloud Computing &
Security Architecture
• Alert Logic
Alex Manly
• Solution Architect
• Chef

4. OVERCOMING SECURITY
CHALLENGES

5. Security Remains #1 Pain Point For Cloud Deployments
Cloud Computing Pain Points
2%
2.5%
2.5%
3.1%
3%
3%
4%
4%
4%
4%
5%
5%
7%
7%
7%
7.4%
8%
9%
10%
11%
11%
12%
17%
31%
Storage
Data Movement
Governance
Capacity Planning/Management
Legacy Applications
Technology Immaturity
Complexity
Limited Transparency and Management
Service-level Management
Lack of Standards
Network
Service Reliability/Availability
Contractual/Legal Issues
Organizational Challenges
Vendor/Provider Issues
Lack of Internal Process
Management
Internal Resources/Expertise
Migration/Integration
Compliance
Security of Data, Control of Data Locality, Sovereignty
Human Change Management
Pricing/Budget/Cost
Security
Other Pain Poin
Automated P
Autom
Billing/Chargeba
Ease of Transfer Between
Integration of Private
Lack of C
Lack of F
Licen
Orchest
Perform
Platform/Provid
Supp
Q. What are your top cloud computing-related pain points?
Source: Cloud Computing – Wave 7 | © 2014 451 Research, LLC. www.451research.com

6. Shared Security Model

7. Application Security Technology Challenges
Network Changes Host Identity Auto-Scaling
Why do traditional security tools struggle
in the cloud

8. Security at Odds with DevOps Velocity
Traditional Security/Compliance is Slow
• Bolted on at the end
• Manual processes
• Long cycle times
Mature DevOps Velocity is Fast
Security Practice does not Keep Up
• Traditional Security Tools are not automated
• Continuous deployment stalls without security automation

9. InfoSec Ends Up Being Marginalized
“The problem for the security person who is used to turning
around security reviews in a month or two weeks is they're
just being shoved out of the game. There's no way with how
Infosec is currently configured that they can keep up with
that. So, Infosec gets all the complaints about being
marginalized and getting in the way of doing what needs
getting done.”
Gene Kim, former CTO of Tripwire
Author of “The Phoenix Project: A Novel About IT, DevOps”
& “Helping Your Business Win”

10. Alert Logic Survey Findings
Good communications
between Development
and Operations Teams
Poor communication
between DevOps, Security
and Compliance teams
Security Infrastructure
had been poorly
managed or needed
significant improvement
Admitted to not
implementing security
into their continuous
process

11. High velocity IT
• Web scale IT
• Software is eating the world
• The Rise of Coded business
• Every business is an IT
business
• Software defined everything
• Deliver change faster and safer

12. Infrastructure on demand
• Cheap
• Secure
• Elastically Scalable
• Self Service

13. DevOps

14. Configuration Management

15. Continuous Delivery

16. Architecture

17. Compliance Drag

18. If you think compliance is expensive,
try non-compliance
Former US Deputy Attorney General, Paul McNulty

19. • Many hats **
• Not just Dev, not just Ops.
• Security is not and has never
been, it’s just a check box.
• Security as Code - Software
defined Security
• Embed security tests into the
pipeline.
• Test security early.
DevSecOps – Don’t shoot me its just a word
** Hat tip to Ben Hughes (@benjammingh) from who I stole this slide from
https://speakerdeck.com/barnbarn/handmade-security-at-etsy

20. The changing role of the compliance officer

21. 2015 Compliance Report - Verizon

22. VULNERABILITY
MANAGEMENT

23. Vulnerability Management
Vulnerability management is key to maintaining a secure system.
Most IT environments use a mix of patch management and
vulnerability scanning.
However
• Scanning is not run frequently enough
• Dealing with large numbers of potential vulnerabilities in one go
introduces significant risk to the application stability

24. Manage Vulnerabilities with Base Images + CI
Manage Vulnerabilities
• Conduct normal vulnerability scanning
• Identify Vulnerabilities that exist in Base
Images versus Application specific packages
• Remediate at appropriate level as part of
Continuous Delivery process
• Start with Hardened “secure by default” base
Results
• Less work, done more reliably
• Patching fits naturally into Phoenix Upgrades
• Continuous Delivery allow frequent scanning
in test environments to have real value
• Fixes potential vulnerabilities systematically

25. Adopt Phoenix upgrade strategy
Embrace Phoenix Upgrades
• Stand up new instances, don’t upgrade
• Route traffic between old and new instances
• Rich service metrics and automate rollback
• Advanced routing can enable selective rollout
Results
• Creates evergreen systems, avoiding
configuration drift and technical debt
• Enforces refresh of all system components as
complete artifact, tested as a holistic system
• Greatly reduces security risks when combine
with immutable instances and configuration
management

26. Real World Case – Patching Shellshock

27. SECURING THE PLATFORM

28. Securing the platform
Aside from ensuring that an application and server is fully patched, it
is key to start from a position where a server has been fully locked
down.
In the cloud, have the developers take the base OS versions that
are made available to them and used them?
You may be in a position where:
• Cannot change permissions on servers without risking breaking the
application
• Base OS images used without any specific security implemented
• Different standard across different server types.

29. Prevent Attacks with Immutable Systems
Build secure base images that are
representative of your infrastructure
system base
Design file system layout to separate
code from data, and lock down to
minimum required permissions.
Should expand to network as well
Leverage SANS Checklist and CIS
Benchmark resources for system
level security best practices and
guidance
Leverage configuration management
tools to standardized all software
versions and configurations
Design Secure
Immutable Infrastructure

30. • This example will identify any code that tries to mount disk
volumes. If code is identified, it will be audited and then workflow
can control the action of this deviation to standards.
Example – Static Control Analysis

31. Example – Infrastructure Testing
Tests Chef
cookbooks using
cloud instances and
virtual machines
Lets you create a
realistic multi-server
test environment
Uses Chef and
supports everything
Chef supports (OSs,
VMs, Languages, etc)
Supports multiple
test runners (Bats,
Minitest, Rspec,
ServerSpec, etc.)

32. CONTINUOUS MONITORING

33. Chef Analytics Provides Visibility in Three Ways
• Record changes to
Chef Server or any
Chef Nodes
• Tracks changes
from any sources
(Chef UI, command
line, knife)
• Built-in
messaging
and email
integration
• Trivially
integrates with
your existing
systems
• Simple dashboard
with search, filters
and sorting options
• Integrate with
existing tools via API

34. Example

35. • PCI 2.3 - Encrypt all non-console administrative access such as
browser/Web-based management tools.
rules ’PCI 2.3 – Confirm telnet port not available'
rule on run_control
when
name = 'should be listening'
resource_type = 'port'
resource_name = '23'
status != 'success'
then
audit:error("PCI 2.3 - Encrypt all non-console administrative access
such as browser/Web-based management tools.")
notify("security-team@financialcorp.com", "A machine is listening
for connections on port 23/telnet!")
end
end
RuleControl
controls 'port compliance' do
control port(23) do
it "has nothing listening"
expect(port(23)).to_not be_listening
end
end
end
Example – PCI Compliance

36. • SOX Section 302.4.B – Establish verifiable controls to track data
access.
rules 'force key based auth'
rule on run_control
when
name = 'is disabled'
resource_type = 'File'
resource_name = '/etc/ssh/sshd_config'
status = 'failed'
then
audit:error("SOX Section 302.4.B – Establish verifiable controls to track
data access.")
notify(‘security-team@financialcorp.com’, "A machine has password login
enabled!")
end
end
RuleControl
controls 'password authentication' do
control file('/etc/ssh/sshd_config') do
it "is disabled"
expect(file('/etc/ssh/sshd_config'))
.to_not
match(/^s*PasswordAuthentications+yes/i)
end
end
end
Example - SOX Compliance

37. How Cloud Defender Works
A L E R T L O G I C C L O U D D E F E N D E R
Identify
Attacks
& Protect
Customers
Big Data
Analytics
Platform
Threat
Intelligence
& Security
Content
24 x 7
Monitoring
&
Escalation
Alert Logic
ActiveAnalytics
Alert Logic
ActiveIntelligence
Alert Logic
ActiveWatch
Cloud, Hybrid
On-Premises
Customer IT
Environment
Web
application
events
Log data
Network
incidents

38. Alert Logic Cloud Defender
Threat Manager: Network Intrusion Detection
• Detects suspicious activities across your networks
• Uncovers vulnerabilities in your networks, systems, and
applications
Log Manager: Log Management & Analysis
• Protects your networks, systems, and applications through
log analysis
• Collects, aggregates, and normalizes logs for easy searching
and long term storage
Web Security Manager: Web Application Protection
• Built to protect web applications from web specific attacks
• Learning engine adapts to normal behavior, ensuring
application uptime
-Simple Unified Deployment -

39. Questions and Resources
Resources
All available under the
“Attachments” tab of the webinar:
• DevOps: The Security Gap
• Key findings from Alert Logic’s
recent Dev-”Sec”-Ops Survey
• Chef’s Whitepaper:
Compliance at Velocity
• Alert Logic Blog
• Top 10 tips for Security
Professionals Blog
Questions
• Questions? Submit them to the
presenter at anytime into the
question box

40. Get Connected
www.alertlogic.com
www.chef.io
@alertlogic
@chef
linkedin.com/company/alert-logic
linkedin.com/company/opscode
alertlogic.com/resources/blog/
chef.io/blog
youtube.com/user/AlertLogicTV
youtube.com/user/getchef
brighttalk.com/channel/11587
brighttalk.com/channel/11349

41. Contact Us
James Brown
Director of Cloud
Computing & Security
Architecture
Alert Logic
jbrown@alertlogic.com
Alex Manly
Solution Architect
Chef
amanly@chef.io
Thank you!