Devops Indonesia - DevSecOps - The Open Source Way

DEVOPS
INDONESIA
DEVOPS INDONESIA
Jakarta, 26 September 2018
DevSecOps: The Open Source Way
DevOps Community in Indonesia

DEVOPS
INDONESIA
DEVOPS INDONESIA HOUSE RULES
100% ATTENTION
TAKE NOTES, NOT CALLS
RECEIVE KNOWLEDGE, NOT MESSAGES
MUTE NOTIFICATIONS FOR SLACK QQ WHATSAPP IMESSAGE EMAIL
TELEGRAM SNAPCHAT FACEBOOK WEIBO HANGOUTS VOXER SIGNAL G+
TWITTER VIBER SKYPE WECHAT LINE SMS ...

DEVOPS
INDONESIA
Let’s get know each other
Let's get know each other

DEVOPS
INDONESIA
Linux Geek | OpenSource Enthusiast | Security Hobbies
Yusuf Hadiwinata Sutandar

DEVOPS
INDONESIA
Managing risk in a volatile DevOps worldManaging risk in a volatile DevOps world

DEVOPS
INDONESIA
Raise You Hand!
Who..
...has heard of Docker?

DEVOPS
INDONESIA
...knows what Docker is?

DEVOPS
INDONESIA
...has tried Docker?
or
...uses Docker?

DEVOPS
INDONESIA
...uses Docker in production?
...with additional tools?

DEVOPS
INDONESIA
...or even implement DevSecOps?
Or SecDevOps..
DevOpsSec?!!
Or maybe SecDevSecOpsSec?

DEVOPS
INDONESIA
WHY DevSecOps?WHY DevSecOps?
● DevOps “purists” point out that security
was always part of DevOps
● Did people just not read the book? Are
practitioners skipping security?
● DevSecOps practitioners say it’s about
how to continuously integrate and
automate security at scale
● Goal:
● Protecting private User-data/Company daya
● Restricting access
● Standar Compliance

DEVOPS
INDONESIA
GLASS HALF EMPTY, GLASS HALF FULLGLASS HALF EMPTY, GLASS HALF FULL
“... we estimate that fewer than 20% of enterprise security
architects have engaged with their DevOps initiatives to actively and
systematically incorporate information security into their DevOps initiatives;
and fewer still have achieved the high degrees of security automation
required to qualify as
DevSecOps.”
“By 2019, more than 70% of enterprise DevOps initiatives will have
incorporated automated security vulnerability and configuration
scanning for
open source components and commercial packages, up from less than 10%
in 2016.”
DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016

DEVOPS
INDONESIA
Security is seen as an inhibitor to DevOpsSecurity is seen as an inhibitor to DevOps
● Security infrastructure has
lagged in its ability to become
‘software defined’ and
programmable, making it
difficult to integrate...
● Modern applications are largely
‘assembled,’ not developed, and
developers often download and
use known vulnerable
open-source components and
frameworks

DEVOPS
INDONESIA
Applications are ‘assembled’...Applications are ‘assembled’...
...utilizing billions of available
libraries, frameworks and utilities
● Not all are created equal, some are
healthy and some are not
● All go bad over time, they age like
milk, not like wine
● Data shows enterprises consumed an
average 229,000 software components
annually, of which 17,000 had a known
security vulnerability

DEVOPS
INDONESIA
THE PERFECT STORMTHE PERFECT STORM
● Cloud
● DevOps
● Open Source Software
innovation explosion
● Containers/Microservices
● Digital transformation

DEVOPS
INDONESIA
YOU MANAGE RISK BYYOU MANAGE RISK BY
● Securing the Assets/Infra
● Securing the Dev
● Securing the Ops
● Securing the APIs

DEVOPS
INDONESIA
SECURING THE ASSETSSECURING THE ASSETS
● Building code
● Watching for changes in how things get
built
● Signing the builds
● Built assets
● Scripts, binaries, packages (RPMs),
containers
● (OCI images), machine images (ISOs,
etc.)
● Registries (Service, Container, App)
● Repositories (Local on host images
assets)

DEVOPS
INDONESIA
SECURING THE SOFTWARESECURING THE SOFTWARE
ASSETS - E.G. IMAGEASSETS - E.G. IMAGE
REGISTRYREGISTRY
● Public and private registries
● Do you require a private registry?
● What security meta-data is available
for your images?
● Are the images in the registry
updated regularly?
● Are there access controls on the
registry? How strong are they?
● Who can push images to the
● registry?

DEVOPS
INDONESIA
SECURING THE ASSETSSECURING THE ASSETS
HEALTH - Security freshness
● Freshness Grade for container security.
● Monitor image registry to
automatically replace affected images
● Use policies to gate what can be
deployed: e.g. if a container requires
root access, prevent deployment

DEVOPS
INDONESIA
SECURING THESECURING THE
DEVELOPMENT PROCESSDEVELOPMENT PROCESS
● Potentially lots of parallel builds
● Source code
● Where is it coming from?
● Who is it coming from?
● Supply Chain Tooling
● CI tools (e.g. Jenkins)
● Testing tools
● Scanning Tools (e.g. Black Duck,
Sonatype)

DEVOPS
INDONESIA
OPERATIONSOPERATIONS
Deployment
● Trusted registries and repos
● Signature authenticating and
authorizing
● Image scanning
● Policies
● Ongoing assessment with
automated remediation

DEVOPS
INDONESIA
OPERATIONSOPERATIONS
Lifecycle
● Blue Green or A/B or Canary,
continuous deployments
● Monitoring deployments
● Possibly multiple environments

DEVOPS
INDONESIA
Modern Architectures are API driven requiring a DevOps
approach to API management. Visibility, routing, and authorization
are key security concerns.

DEVOPS
INDONESIA
Plan - Thread Modeling ToolsPlan - Thread Modeling Tools
OWASP Threat Dragon Project
Threat Dragon is a free, open-source threat modeling tool
from OWASP. It can be used as a standalone desktop app
for Windows and MacOS (Linux coming soon) or as a web
application. The desktop app is great if you want to try the
application without giving it access to your GitHub repos, but
if you choose the online version you get to unleash the
awesome power of GitHub on your threat models! Obviously,
to do this you need to log in first..
https://github.com/appsecco/owasp-threat-dragon-gitlab

DEVOPS
INDONESIA
Docker Host Security ComplianceDocker Host Security Compliance

DEVOPS
INDONESIA
Security Automation for Containers and VMsSecurity Automation for Containers and VMs
with OpenSCAPwith OpenSCAP
SCAP is a set of specifications related to security automation. SCAP is used to
improve security posture - hardening and finding vulnerabilities—as well as
regulatory reasons
https://github.com/dstraub/satellite-plugin
https://github.com/RedHatSatellite/soe-ci
https://servicesblog.redhat.com/2017/06/12/standard-operating-environment-
part-iii-a-reference-implementation/

DEVOPS
INDONESIA
API-aware Networking and SecurityAPI-aware Networking and Security
Cilium brings API-aware network security
filtering to Linux container frameworks like
Docker and Kubernetes. Using a new Linux
kernel technology called BPF, Cilium provides a
simple and efficient way to define and enforce
both network-layer and application-layer security
policies based on container/pod identity.

DEVOPS
INDONESIA
Secure container-aware credentials storage,Secure container-aware credentials storage,
trust management.trust management.
HashiCorp Vault secures, stores, and tightly
controls access to tokens, passwords,
certificates, API keys, and other secrets in
modern computing. Vault handles leasing, key
revocation, key rolling, and auditing. Through a
unified API, users can access an encrypted
Key/Value store and network encryption-as-a-
service, or generate AWS IAM/STS credentials,
SQL/NoSQL databases, X.509 certificates, SSH
credentials, and more.
https://github.com/jenkinsci/hashicorp-vault-
plugin

DEVOPS
INDONESIA
Static source-code analysis / static applicationStatic source-code analysis / static application
security testing (sast)security testing (sast)
Brakeman - Rails Security Scanner
Static analysis security scanner for Ruby on Rail
https://jenkins.io/doc/pipeline/steps/brakeman/
https://jenkins.io/blog/2016/08/10/rails-cd-with-pipeline/

DEVOPS
INDONESIA
Static source-code analysis / static applicationStatic source-code analysis / static application
security testing (sast)security testing (sast)
SonarQube is an open source platform
developed by SonarSource for continuous
inspection of code quality to perform automatic
reviews with static analysis of code to detect
bugs, code smells, and security vulnerabilities
on 20+ programming languages
https://docs.sonarqube.org/display/SCAN/Analy
zing+with+SonarQube+Scanner+for+Jenkins
https://www.owasp.org/index.php/Source_Code
_Analysis_Tools

DEVOPS
INDONESIA
Static Application Security Testing (SAST)Static Application Security Testing (SAST)
Clair: The Container Image Security Analyzer
Clair is an open source project for the static analysis of vulnerabilities in
application containers (currently including appc and docker).
https://github.com/benfab/clair-demo
Integrate the image scanning into Jenkins pipelines with clairctl
Clairctl is a lightweight command-line tool doing the bridge between Registries as
Docker Hub, Docker Registry or Quay.io, and the CoreOS vulnerability tracker, Clair.
Clairctl will play as reverse proxy for authentication.
https://github.com/jgsqware/clairctl
Jenkins CI Image Vulnerability Scan
https://github.com/protacon/ci-image-vulnerability-scan
https://github.com/jgsqware/clairctl

DEVOPS
INDONESIA
Dynamic Application Security Testing (DAST)Dynamic Application Security Testing (DAST)
OWASP Zed Attack Proxy Project
is one of the world’s most popular free security tools and is actively maintained
by hundreds of international volunteers*. It can help you automatically find
security vulnerabilities in your web applications while you are developing and
testing your applications. Its also a great tool for experienced pentesters to use
for manual security testing.
https://plugins.jenkins.io/zapper
https://wiki.jenkins.io/display/JENKINS/Zapper+Plugin
https://youtu.be/xMLb7BDdfNo

DEVOPS
INDONESIA
Dynamic Application Security Testing (DAST)Dynamic Application Security Testing (DAST)
Free, Simple, Distributed, Intelligent, Powerful,
Friendly.
Arachni is a feature-full, modular, high-performance
Ruby framework aimed towards helping penetration
testers and administrators evaluate the security of
modern web applications.
https://blog.secodis.com/2016/03/17/automated-
security-tests-3-jenkins-arachni-threadfix/
https://wiki.jenkins.io/display/JENKINS/Arachni+Scan
ner+plugin

DEVOPS
INDONESIA
Mobile Application Security Testing (MAST)Mobile Application Security Testing (MAST)
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application
(Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware
analysis. It can be used for effective and fast security analysis of Android, iOS and Windows
mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code.
MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing
capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to
make your CI/CD or DevSecOps pipeline integration seamless.
https://medium.com/@omerlh/how-to-continuously-hacking-your-app-c8b32d1633ad
https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/10.-MobSF-CI-CD

DEVOPS
INDONESIA
Security FrameworkSecurity Framework
Managed Ecosystem for Secure Operations
SIMP is an Open Source, fully automated, and extensively tested
framework that can either enhance your existing infrastructure or allow
you to quickly build one from scratch. Built on the mature Puppet product
suite, SIMP is designed around scalability, flexibility, and compliance.

DEVOPS
INDONESIA
Container Security FrameworkContainer Security Framework
NIST Special Publication 800-190: Application Container Security Guide
Access Control; Configuration Management; System and Communications Protection; System and
Information Integrity; Audit and Accountability; Awareness and Training; Identification and
Authentication; Incident Response; Risk Assessment;
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf

DEVOPS
INDONESIA
BRINGING IT ALL TOGETHERBRINGING IT ALL TOGETHER

DEVOPS
INDONESIA
Homework!!Homework!!

DEVOPS
INDONESIA
Continues learning DevSecOps conceptsContinues learning DevSecOps concepts
OWASP DevSecOps Studio Project DevSecOps Studio is one
of its kind, self contained DevSecOps environment/distribution
to help individuals in learning DevSecOps concepts. It takes
lots of efforts to setup the environment for training/demos and
more often, its error prone when done manually.
Features:
● Easy to setup environment with just one command “vagrant up”
● Teaches Security as Code, Compliance as Code, Infrastructure
as Code
● With built-in support for CI/CD pipeline
● OS hardening using ansible
● Compliance as code using Inspec
● QA security using ZAP, BDD-Security and Gauntlt
● Static tools like bandit, brakeman, windbags, gitrob, gitsecrets
● Security Monitoring using ELK stack.

DEVOPS
INDONESIA
BRINGING IT ALL TOGETHERBRINGING IT ALL TOGETHER
● Git server to store code and infrastructure (as code).
● CI/CD pipeline to embed security as part CI/CD like SAST,
DAST, hardening, compliance etc.,
● Add Security tools as jobs.
● Analyze and fix the issues found.
https://github.com/teacheraio/DevSecOps-Studio/wiki

DEVOPS
INDONESIA
Question???Question???

DEVOPS
INDONESIA
linkedin.com/in/yusufhadiwinata/
https://www.meetup.com/Docker-Indonesia/
Stay Connected
@devopsindonesia
facebook.com/yusuf.hadiwinata
www.devopsindonesia.com
linkedin.com/in/mademulia/
https://www.meetup.com/DevOps-Indonesia

DEVOPS
INDONESIA
Are You Awesome?Are You Awesome?
We are Hiring !We are Hiring !
CheckCheck https://t.me/IDDevOpshttps://t.me/IDDevOps for detailfor detail

DEVOPS
INDONESIA
Alone We are smart, together We are brilliant
THANK YOU !
Quote by Steve Anderson

Devops Indonesia - DevSecOps - The Open Source Way

More Related Content

What's hot

Similar to Devops Indonesia - DevSecOps - The Open Source Way

More from Yusuf Hadiwinata Sutandar

Recently uploaded

Devops Indonesia - DevSecOps - The Open Source Way