Aarno Aukia, profile picture
Uploaded byAarno Aukia
PDF, PPTX181 views

DevSecOps - Security in DevOps

VSHN is a DevOps company focused on integrating security into the development process through DevSecOps principles. The document outlines key measures for security improvement, container management, and governance, specifically tailored for banking software development. It emphasizes the importance of collaboration, automation, and continuous improvement to enhance operational efficiency and security for its clients.

Embed presentation

Download as PDF, PPTX
VSHN - The DevOps Company DevSecOps Security in DevOps Aarno Aukia, CTO @ VSHN - The DevOps Company 05.10.2020 WeAreDevelopers Live Week
VSHN - The DevOps Company ● About Aarno & VSHN.ch ● Why? From Dev to DevOps to DevSecOps ● What? DevSecOps principles ● How? Concrete measures ● Who? Customer Example: Finnova AG Bankware ● Because? Resulting IT Governance & security benefits 22 Agenda
VSHN - The DevOps Company @aarnoaukia a@vshn.ch ETH → Google → Atrila → VSHN VSHN - The DevOps Company @vshn_ch Since 2014, currently 45 VSHNeers in Zürich, Switzerland Helping developers run online businesses without having to worry about operations 33 About Aarno & VSHN.ch
VSHN - The DevOps Company Software Project Management Requirements Design Implementation Validation Maintenance
VSHN - The DevOps Company Software Project Management Requirements Design Implementation Validation Maintenance
VSHN - The DevOps Company Software Project Management Requirements Design Implementation Validation Maintenance
VSHN - The DevOps Company Software Project Management Requirements Design Implementation Testing Release Biz
VSHN - The DevOps Company Software Project Management: Dev vs. Ops Requirements Design Implementation Testing Release Ops Biz
VSHN - The DevOps Company 9 OPS = Firefighting-as-a-Service ? 9
VSHN - The DevOps Company Collaboration between software developers and operations: ● Teamwork ● Continuous improvement ● Efficient and lean ● Agile: being able to react to new requirements ● Automate as much as possible (“Infrastructure as code”) 1212 DevOps: People, Processes & Tools
VSHN - The DevOps Company Software Project Management: DevOps Requirements Design Implementation Testing ReleaseDeployOperateMonitor
VSHN - The DevOps Company Software Project Management: DevOps Requirements Design Implementation Testing ReleaseDeployOperateMonitor SECURITY
VSHN - The DevOps Company Software Project Management: DevSecOps Requirements Design Implementation Testing ReleaseDeployOperateMonitor Todo-List Data & Risks Secure Practices Validation traceabilityauditabilityAnomalies Availability
VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec/DevSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 1616 Areas of security improvement
VSHN - The DevOps Company DevSecOps principles 1717
VSHN - The DevOps Company ● static code analysis automatically for each commit (DevSecOps principle 4) ● Dependency Management (DevSecOps principle 5) ● (base) container image scanning (DevSecOps principle 5) 1818 Build
VSHN - The DevOps Company Code analysis: sonarqube 1919
VSHN - The DevOps Company 2020 Dependency updates: https://dependabot.com
VSHN - The DevOps Company Container scanning: aquasec 2121
VSHN - The DevOps Company ● smoke tests (DevSecOps principle 4) ● As many test environments as necessary (DevSecOps principle 4) ● atomic container deployment (DevSecOps principle 6) ● every deployment (and rollback) is a “normal deployment” (DevSecOps principle 6) ● deployment automation removes need for (all) devs root prod access and/or waiting for ops to deploy new dev version (DevSecOps principle 6) 2222 Test & Deployment
VSHN - The DevOps Company ● standardization on (minimal, hardened) OS and container orchestrator ● immutable (application) infrastructure using containers ● process/storage/network separation of applications/environments ● detect/prevent configuration drift between dev/test/stage/prod envs ● documentation & automatic backup of all volumes ● documentation & monitoring of routes/loadbalancers/ingresspoints with enforcing SSL/TLS ● AAI for admin & application ● key & secrets management ● audit logging of control & application planes 2323 Ops (DevSecOps principle 1)
VSHN - The DevOps Company Container isolation 2424 ● Kernel namespacing (process & network) ● Control groups (resource quota to prevent DoS) ● SELinux (additional syscall filter) ● prevent running as root inside container, no user-provided privileged containers (enforce best practice) ● readonly container filesystem (harder to persist exploit at runtime)
VSHN - The DevOps Company ● “Docker” ○ Kernel-based process isolation based on lxc/libcontainer/runc (CNCF open standard) ○ Open Source Tools for container image creation and management (“Docker CE”) ○ Company based in San Francisco (“Docker inc”) ○ Enterprise software product (“Docker EE”) ○ Online portal for public docker containers (“Dockerhub” hub.docker.com) ● “Dockerfile” ○ Text file containing all the instructions to build and assemble the application into a container including application code, appserver, plugins, modules, libraries down to libc ○ Goal: document & automate the build process ○ Usually in the application GIT repository ○ References a base image to incrementally add the application to 3030 Container technology: Docker
VSHN - The DevOps Company ● Use declarative formats for setup automation ● Have a clean, portable contract with the underlying operating system ● Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration; ● Minimize divergence between development and production, enabling continuous deployment for maximum agility; ● And can scale up without significant changes to tooling, architecture, or development practices. 3131 12 Factor App Patterns: https://12factor.net/
VSHN - The DevOps Company From container to production? 3232
VSHN - The DevOps Company ● How many container instances should be running per service? ● On which IP/port/server are they running on? ● Service discovery ● What happens if a container/server goes away? ● scaling, load balancing, rolling deployments, persistent storage, networking 3333 Container orchestration: Kubernetes
VSHN - The DevOps Company Docker Kubernetes 3939 Layers of abstraction Hardware Operating System Service discovery & Load balancing Application Server Application Cloud/Onprem
VSHN - The DevOps Company Zooming in...
VSHN - The DevOps Company ● Logging: EFK ● Metrics: Prometheus ● SSL-Certificates: cert-manager (letsencrypt.org) ● Source-to-image builder, Dockerfile builder, Docker-Image-Registry ● Load-balancing: Ingress, NGINX ● horizontal (auto) scaling, rolling deployments ● Scanning: image scanning (repo & runtime) 4141 Kubernetes Ecosystem
VSHN - The DevOps Company AAI: Keycloak 4242 ● Identity & Access Management ● Single sign in/out ● Identity brokering: ○ OpenID Connect (OAuth2, FB/Twitter/Github etc.) ○ SAML2.0 ○ Kerberos ● User federation: LDAP, AD, etc ● 2FA: TOTP/HOTP ● Managing the Authorization groups
VSHN - The DevOps Company Logs: ELK/EFK/Greylog 4343 ● Logging all access and changes through the control plane ● Logging all access to the application and correlate with application logs ● Index, view, filter, aggregate KPI → monitoring ● Store outside of application scope
VSHN - The DevOps Company ● Prometheus ○ time series database ○ open source / CNCF-project ○ well-integrated in docker/kubernetes stats ● NewRelic APM ○ application-level profiling ○ performance tracking ○ exception tracking (backend & frontend) ○ available as SaaS 4444 Metrics: Prometheus / NewRelic
VSHN - The DevOps Company ● Developer and Operator of Banking Software used by ~100 Banks ● Based in Lenzburg, Switzerland ● Founded 1974 ● ~400 Employees Example: Finnova AG Bankware
Hier steht der Präsentationstitel I 47
VSHN - The DevOps Company 48 Deployment Process & Security DEV (Repository) Files (Pods) Docker Images Container (OpenShift) Betrieb AM Seewen (PRD) GitHub Code Image-Scan (Security & Compliance Policies) » Code Analyse » Image Scanning » Container Hardening Runtime » Network Security » Monitoring » Logging & Reporting » Code Security » Access » Security & Auditing SecurityDeployment
VSHN - The DevOps Company 49 Architecture and Security
VSHN - The DevOps Company ● “Full Stack Audit” ● Review design document ● Every layer was custom built ○ physical hardware ○ handcrafted servers ○ manual application deployment ● Review each layer ● Review each layer again next year... 5050 Traditional IT governance
VSHN - The DevOps Company ● Standardized components ○ already audited, some even externally certified ○ re-used, economies of scale, CMMI level 5 ○ tech controls (AAI, RBAC, logs/SIEM) implemented once ○ financial controls implemented once ● Infrastructure: private/public cloud ● Ops: Container orchestration platform ● Review design document & platform configuration 5151 Cloud native IT governance
VSHN - The DevOps Company ● prevent configuration drift ○ immutable (application) infrastructure using containers ○ deploy dev/test/stage/prod envs from CI/CD ● prevent manual errors ○ validate configuration in CI/CD before deployment ○ standardization on (minimal, hardened) OS and container orchestrator ○ deployment automation removes need for (most) root prod access ● security by default ○ image scanning, dependency vulnerability management ○ process/storage/network separation of applications/environments ○ volumes & ingresspoints best practice (documentation, monitoring, backup, SSL/TLS/WAF) ○ AAI for admin & application, audit trail logging of CI/CD, control & application planes ○ key & secrets management ● 5252 IT governance controls in container platforms
VSHN - The DevOps Company ● compute resources billable by project ● self-service-onboarding possible ● autoscaling, scale-down dev envs outside office hours ● vendor procurement/due diligence/certification management ● SLA, 24x7, service process, escalation management clearly defined 5353 IT governance financial/compliance controlling
VSHN - The DevOps Company DevSecOps principles 5454
VSHN - The DevOps Company ● Please get in touch with feedback ● Twitter: @aarnoaukia ● Linkedin: https://www.linkedin.com/in/aukia/ ● Email: aarno.aukia@vshn.ch 5555 Thank you
Come visit us for a coffee! VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - info@vshn.ch https://vshn.ch/kontakt/ Follow us on Twitter! @vshn_ch 56

More Related Content

PDF
The printing press of 2021 - using GitLab to publish the VSHN Handbook
byAarno Aukia
 
PDF
Was ist ein Service Mesh und wie funktioniert es?
byCloud Native Rosenheim Meetup
 
PDF
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
byNico Meisenzahl
 
PDF
Is your kubernetes negative or positive
byLibbySchulze
 
PDF
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
byRed Hat Developers
 
PPTX
Mastering Secrets Management in Rundeck
byRundeck
 
PPTX
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
byNGINX, Inc.
 
PDF
DevSecOps with Confidence
byVMware Tanzu
 
The printing press of 2021 - using GitLab to publish the VSHN Handbook
byAarno Aukia
 
Was ist ein Service Mesh und wie funktioniert es?
byCloud Native Rosenheim Meetup
 
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
byNico Meisenzahl
 
Is your kubernetes negative or positive
byLibbySchulze
 
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
byRed Hat Developers
 
Mastering Secrets Management in Rundeck
byRundeck
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
byNGINX, Inc.
 
DevSecOps with Confidence
byVMware Tanzu
 

What's hot

PDF
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
byNico Meisenzahl
 
PDF
Deep Visibility: Logging From Distributed Microservices
byAaronLieberman5
 
PPTX
Nig project setup quickly tutorial
byGuo Albert
 
PDF
Deploying Anything as a Service (XaaS) Using Operators on Kubernetes
byAll Things Open
 
PDF
Microservice API Gateways with NGINX
byGeoffrey Filippi
 
PPTX
Tce automation-d4
byTikal Knowledge
 
PDF
Webinar: Introduction to CloudBees Jenkins Platform
byKiratech
 
PDF
Introducing ASP.NET vNext – The Future of .NET on the Server | FalafelCON 2014
byFalafelSoftware
 
PDF
Microservice no fluff, the REAL stuff
bynklmish
 
PDF
eigr.io – a Serverless Runtime on the BEAM (ACM SIGPLAN, ICFP 2021 Erlang Wor...
byMarcelLanz
 
PDF
Taming the DevOps unicorn with Azure and Visual Studio Team Services
byKarl Ots
 
PDF
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
byIcinga
 
PDF
What we do with Go
byMarcelLanz
 
PPTX
IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)
byRed Hat Developers
 
PDF
Thomson Reuters, TMS: Workflow in GitLab
byMatan Keidar
 
PDF
Creating a commercial PaaS offer based on Fiware
byGiovanni Coppa
 
PPTX
Using an API Gateway for Microservices
byNGINX, Inc.
 
PDF
OSMC 2017 | Current State of Icinga by Erk Bernd
byNETWAYS
 
PPTX
NGINX Unit at Scale: Use Cases and the Future of Unit
byNGINX, Inc.
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
byNico Meisenzahl
 
Deep Visibility: Logging From Distributed Microservices
byAaronLieberman5
 
Nig project setup quickly tutorial
byGuo Albert
 
Deploying Anything as a Service (XaaS) Using Operators on Kubernetes
byAll Things Open
 
Microservice API Gateways with NGINX
byGeoffrey Filippi
 
Tce automation-d4
byTikal Knowledge
 
Webinar: Introduction to CloudBees Jenkins Platform
byKiratech
 
Introducing ASP.NET vNext – The Future of .NET on the Server | FalafelCON 2014
byFalafelSoftware
 
Microservice no fluff, the REAL stuff
bynklmish
 
eigr.io – a Serverless Runtime on the BEAM (ACM SIGPLAN, ICFP 2021 Erlang Wor...
byMarcelLanz
 
Taming the DevOps unicorn with Azure and Visual Studio Team Services
byKarl Ots
 
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
byIcinga
 
What we do with Go
byMarcelLanz
 
IPaaS 2.0: Fuse Integration Services (Robert Davies & Keith Babo)
byRed Hat Developers
 
Thomson Reuters, TMS: Workflow in GitLab
byMatan Keidar
 
Creating a commercial PaaS offer based on Fiware
byGiovanni Coppa
 
Using an API Gateway for Microservices
byNGINX, Inc.
 
OSMC 2017 | Current State of Icinga by Erk Bernd
byNETWAYS
 
NGINX Unit at Scale: Use Cases and the Future of Unit
byNGINX, Inc.
 

Similar to DevSecOps - Security in DevOps

PDF
DevSecOps: Bringing security to the DevOps pipeline
byAarno Aukia
 
PDF
DevSecOps: Bringing security to the DevOps pipeline
byAarno Aukia
 
PDF
DevSecOps: Bringing security to the DevOps pipeline
byAarno Aukia
 
PDF
Next gen software operations models in the cloud
byAarno Aukia
 
PDF
Continuous security improvements in the DevOps process
byAarno Aukia
 
PDF
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
byAarno Aukia
 
PDF
Application Portability using Cloud Native Technology: Docker, Kubernetes
byAarno Aukia
 
PDF
Security in the DevOps pipeline of containerized core application: Case Study...
byAarno Aukia
 
PDF
Securing DevOps
byAarno Aukia
 
PDF
DevOps & DevSecOps in Swiss Banking
byAarno Aukia
 
PDF
A guide to modern software development 2018
byPeter Bittner
 
PDF
DevOps on AWS
byAarno Aukia
 
PDF
SecDevOps 2017
byAarno Aukia
 
PDF
DevOps for E-Commerce
byAarno Aukia
 
PDF
Moving Applications to the cloud
byAarno Aukia
 
PDF
Scalable Python with Docker, Kubernetes, OpenShift
byAarno Aukia
 
PDF
Scalable Web Applications with 100% open source
byAarno Aukia
 
PDF
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
byDigicomp Academy AG
 
PDF
IPv6 on Container Plattforms
byAarno Aukia
 
PDF
DevOps - Top Trends In 2019
byVikash Karuna
 
DevSecOps: Bringing security to the DevOps pipeline
byAarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
byAarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
byAarno Aukia
 
Next gen software operations models in the cloud
byAarno Aukia
 
Continuous security improvements in the DevOps process
byAarno Aukia
 
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
byAarno Aukia
 
Application Portability using Cloud Native Technology: Docker, Kubernetes
byAarno Aukia
 
Security in the DevOps pipeline of containerized core application: Case Study...
byAarno Aukia
 
Securing DevOps
byAarno Aukia
 
DevOps & DevSecOps in Swiss Banking
byAarno Aukia
 
A guide to modern software development 2018
byPeter Bittner
 
DevOps on AWS
byAarno Aukia
 
SecDevOps 2017
byAarno Aukia
 
DevOps for E-Commerce
byAarno Aukia
 
Moving Applications to the cloud
byAarno Aukia
 
Scalable Python with Docker, Kubernetes, OpenShift
byAarno Aukia
 
Scalable Web Applications with 100% open source
byAarno Aukia
 
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
byDigicomp Academy AG
 
IPv6 on Container Plattforms
byAarno Aukia
 
DevOps - Top Trends In 2019
byVikash Karuna
 

More from Aarno Aukia

PDF
DevOps for AI: running LLMs in production with Kubernetes and KubeFlow
byAarno Aukia
 
PDF
Wie macht man aus Software einen Online-Service in der Cloud
byAarno Aukia
 
PDF
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
byAarno Aukia
 
PDF
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
byAarno Aukia
 
PDF
Kubecon 2019 Recap
byAarno Aukia
 
PDF
My broken container is gone - how to debug containers on container platforms
byAarno Aukia
 
PDF
Automated Server Administration for DevSecOps
byAarno Aukia
 
PDF
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
byAarno Aukia
 
PDF
Migration von Applikationen in die Cloud
byAarno Aukia
 
PDF
Cloud Native Computing & DevOps
byAarno Aukia
 
PDF
Cloud Native Computing
byAarno Aukia
 
PDF
Cloud Native Computing Meetup Zürich Jan 11 2018
byAarno Aukia
 
PDF
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
byAarno Aukia
 
PDF
Cloud Native Computing Meetup Zürich
byAarno Aukia
 
DevOps for AI: running LLMs in production with Kubernetes and KubeFlow
byAarno Aukia
 
Wie macht man aus Software einen Online-Service in der Cloud
byAarno Aukia
 
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
byAarno Aukia
 
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
byAarno Aukia
 
Kubecon 2019 Recap
byAarno Aukia
 
My broken container is gone - how to debug containers on container platforms
byAarno Aukia
 
Automated Server Administration for DevSecOps
byAarno Aukia
 
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
byAarno Aukia
 
Migration von Applikationen in die Cloud
byAarno Aukia
 
Cloud Native Computing & DevOps
byAarno Aukia
 
Cloud Native Computing
byAarno Aukia
 
Cloud Native Computing Meetup Zürich Jan 11 2018
byAarno Aukia
 
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
byAarno Aukia
 
Cloud Native Computing Meetup Zürich
byAarno Aukia
 

Recently uploaded

PDF
Smart ways to se AI in your business , presentation
byAI n Dot Net
 
PDF
Introduction to Microsoft 365 Security and Compliance.pdf
byjohnsonsouza5
 
PDF
Own Your Domain Before It Owns You - Domain Driven Design for Pragmaticians
byPosedio GmbH
 
PPTX
Windows File System Monitoring Tool Using C and C++
byAkshay Muley
 
PDF
ChampionMATES – Compete With Friends. Predict Sports. Become the Champion.
byRafal Ksiazek
 
PDF
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
PDF
LogiNext Media Kit & Company Overview 2025
bysanikaroy72
 
PDF
Pet Care Service App Development Company
byV3CUBE TECHNOLABS
 
PDF
Malware_Detection_A_Framework_for_Reverse_Engineered_Android_Applications_Thr...
byKiritiyadavGoskula
 
PDF
GDG ON CAMPUS NETAJI SUBHASH ENGINEERING COLLEGE BUILDING INTELLIGENT WEB APP...
bydscnsecorg
 
PDF
LogiNext Media Kit & Company Overview 2025
byswatishahz9031
 
PDF
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 
PPTX
Marketo API Deep Dive From Basics to AI-Ready Foundations - January 2026.pptx
bybbedford2
 
DOCX
The Rise of Headless CMS in Modern Web Development.docx
bywork4noahmiller
 
PDF
How to find your event photos instantly with a selfie using SnapSeek
bySnapSeek.app
 
PDF
Introducing MySQL HeatWave Migration Assistant
byAlexander Hitrov
 
PDF
NewFangled VADY Enterprise AI Solutions for Smart Workflow Automation
byNewFangledVision
 
PDF
🤖🧰 SPRING AI AGENTIC PATTERNS (PART 1): AGENT SKILLS
byVincent Vauban
 
PDF
LogiNext Media Kit & Company Overview 2025
bydhrutipatelk5617
 
PPTX
Digital Transformation with EPM is not just about managing numbers—it is abou...
byjayasuryanexinfo
 
Smart ways to se AI in your business , presentation
byAI n Dot Net
 
Introduction to Microsoft 365 Security and Compliance.pdf
byjohnsonsouza5
 
Own Your Domain Before It Owns You - Domain Driven Design for Pragmaticians
byPosedio GmbH
 
Windows File System Monitoring Tool Using C and C++
byAkshay Muley
 
ChampionMATES – Compete With Friends. Predict Sports. Become the Champion.
byRafal Ksiazek
 
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
LogiNext Media Kit & Company Overview 2025
bysanikaroy72
 
Pet Care Service App Development Company
byV3CUBE TECHNOLABS
 
Malware_Detection_A_Framework_for_Reverse_Engineered_Android_Applications_Thr...
byKiritiyadavGoskula
 
GDG ON CAMPUS NETAJI SUBHASH ENGINEERING COLLEGE BUILDING INTELLIGENT WEB APP...
bydscnsecorg
 
LogiNext Media Kit & Company Overview 2025
byswatishahz9031
 
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 
Marketo API Deep Dive From Basics to AI-Ready Foundations - January 2026.pptx
bybbedford2
 
The Rise of Headless CMS in Modern Web Development.docx
bywork4noahmiller
 
How to find your event photos instantly with a selfie using SnapSeek
bySnapSeek.app
 
Introducing MySQL HeatWave Migration Assistant
byAlexander Hitrov
 
NewFangled VADY Enterprise AI Solutions for Smart Workflow Automation
byNewFangledVision
 
🤖🧰 SPRING AI AGENTIC PATTERNS (PART 1): AGENT SKILLS
byVincent Vauban
 
LogiNext Media Kit & Company Overview 2025
bydhrutipatelk5617
 
Digital Transformation with EPM is not just about managing numbers—it is abou...
byjayasuryanexinfo
 

DevSecOps - Security in DevOps

  • 1.
    VSHN - TheDevOps Company DevSecOps Security in DevOps Aarno Aukia, CTO @ VSHN - The DevOps Company 05.10.2020 WeAreDevelopers Live Week
  • 2.
    VSHN - TheDevOps Company ● About Aarno & VSHN.ch ● Why? From Dev to DevOps to DevSecOps ● What? DevSecOps principles ● How? Concrete measures ● Who? Customer Example: Finnova AG Bankware ● Because? Resulting IT Governance & security benefits 22 Agenda
  • 3.
    VSHN - TheDevOps Company @aarnoaukia a@vshn.ch ETH → Google → Atrila → VSHN VSHN - The DevOps Company @vshn_ch Since 2014, currently 45 VSHNeers in Zürich, Switzerland Helping developers run online businesses without having to worry about operations 33 About Aarno & VSHN.ch
  • 4.
    VSHN - TheDevOps Company Software Project Management Requirements Design Implementation Validation Maintenance
  • 5.
    VSHN - TheDevOps Company Software Project Management Requirements Design Implementation Validation Maintenance
  • 6.
    VSHN - TheDevOps Company Software Project Management Requirements Design Implementation Validation Maintenance
  • 7.
    VSHN - TheDevOps Company Software Project Management Requirements Design Implementation Testing Release Biz
  • 8.
    VSHN - TheDevOps Company Software Project Management: Dev vs. Ops Requirements Design Implementation Testing Release Ops Biz
  • 9.
    VSHN - TheDevOps Company 9 OPS = Firefighting-as-a-Service ? 9
  • 10.
    VSHN - TheDevOps Company Collaboration between software developers and operations: ● Teamwork ● Continuous improvement ● Efficient and lean ● Agile: being able to react to new requirements ● Automate as much as possible (“Infrastructure as code”) 1212 DevOps: People, Processes & Tools
  • 11.
    VSHN - TheDevOps Company Software Project Management: DevOps Requirements Design Implementation Testing ReleaseDeployOperateMonitor
  • 12.
    VSHN - TheDevOps Company Software Project Management: DevOps Requirements Design Implementation Testing ReleaseDeployOperateMonitor SECURITY
  • 13.
    VSHN - TheDevOps Company Software Project Management: DevSecOps Requirements Design Implementation Testing ReleaseDeployOperateMonitor Todo-List Data & Risks Secure Practices Validation traceabilityauditabilityAnomalies Availability
  • 14.
    VSHN - TheDevOps Company ● Developer education, requirements engineering, design review -> AppSec/DevSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 1616 Areas of security improvement
  • 15.
    VSHN - TheDevOps Company DevSecOps principles 1717
  • 16.
    VSHN - TheDevOps Company ● static code analysis automatically for each commit (DevSecOps principle 4) ● Dependency Management (DevSecOps principle 5) ● (base) container image scanning (DevSecOps principle 5) 1818 Build
  • 17.
    VSHN - TheDevOps Company Code analysis: sonarqube 1919
  • 18.
    VSHN - TheDevOps Company 2020 Dependency updates: https://dependabot.com
  • 19.
    VSHN - TheDevOps Company Container scanning: aquasec 2121
  • 20.
    VSHN - TheDevOps Company ● smoke tests (DevSecOps principle 4) ● As many test environments as necessary (DevSecOps principle 4) ● atomic container deployment (DevSecOps principle 6) ● every deployment (and rollback) is a “normal deployment” (DevSecOps principle 6) ● deployment automation removes need for (all) devs root prod access and/or waiting for ops to deploy new dev version (DevSecOps principle 6) 2222 Test & Deployment
  • 21.
    VSHN - TheDevOps Company ● standardization on (minimal, hardened) OS and container orchestrator ● immutable (application) infrastructure using containers ● process/storage/network separation of applications/environments ● detect/prevent configuration drift between dev/test/stage/prod envs ● documentation & automatic backup of all volumes ● documentation & monitoring of routes/loadbalancers/ingresspoints with enforcing SSL/TLS ● AAI for admin & application ● key & secrets management ● audit logging of control & application planes 2323 Ops (DevSecOps principle 1)
  • 22.
    VSHN - TheDevOps Company Container isolation 2424 ● Kernel namespacing (process & network) ● Control groups (resource quota to prevent DoS) ● SELinux (additional syscall filter) ● prevent running as root inside container, no user-provided privileged containers (enforce best practice) ● readonly container filesystem (harder to persist exploit at runtime)
  • 23.
    VSHN - TheDevOps Company ● “Docker” ○ Kernel-based process isolation based on lxc/libcontainer/runc (CNCF open standard) ○ Open Source Tools for container image creation and management (“Docker CE”) ○ Company based in San Francisco (“Docker inc”) ○ Enterprise software product (“Docker EE”) ○ Online portal for public docker containers (“Dockerhub” hub.docker.com) ● “Dockerfile” ○ Text file containing all the instructions to build and assemble the application into a container including application code, appserver, plugins, modules, libraries down to libc ○ Goal: document & automate the build process ○ Usually in the application GIT repository ○ References a base image to incrementally add the application to 3030 Container technology: Docker
  • 24.
    VSHN - TheDevOps Company ● Use declarative formats for setup automation ● Have a clean, portable contract with the underlying operating system ● Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration; ● Minimize divergence between development and production, enabling continuous deployment for maximum agility; ● And can scale up without significant changes to tooling, architecture, or development practices. 3131 12 Factor App Patterns: https://12factor.net/
  • 25.
    VSHN - TheDevOps Company From container to production? 3232
  • 26.
    VSHN - TheDevOps Company ● How many container instances should be running per service? ● On which IP/port/server are they running on? ● Service discovery ● What happens if a container/server goes away? ● scaling, load balancing, rolling deployments, persistent storage, networking 3333 Container orchestration: Kubernetes
  • 27.
    VSHN - TheDevOps Company Docker Kubernetes 3939 Layers of abstraction Hardware Operating System Service discovery & Load balancing Application Server Application Cloud/Onprem
  • 28.
    VSHN - TheDevOps Company Zooming in...
  • 29.
    VSHN - TheDevOps Company ● Logging: EFK ● Metrics: Prometheus ● SSL-Certificates: cert-manager (letsencrypt.org) ● Source-to-image builder, Dockerfile builder, Docker-Image-Registry ● Load-balancing: Ingress, NGINX ● horizontal (auto) scaling, rolling deployments ● Scanning: image scanning (repo & runtime) 4141 Kubernetes Ecosystem
  • 30.
    VSHN - TheDevOps Company AAI: Keycloak 4242 ● Identity & Access Management ● Single sign in/out ● Identity brokering: ○ OpenID Connect (OAuth2, FB/Twitter/Github etc.) ○ SAML2.0 ○ Kerberos ● User federation: LDAP, AD, etc ● 2FA: TOTP/HOTP ● Managing the Authorization groups
  • 31.
    VSHN - TheDevOps Company Logs: ELK/EFK/Greylog 4343 ● Logging all access and changes through the control plane ● Logging all access to the application and correlate with application logs ● Index, view, filter, aggregate KPI → monitoring ● Store outside of application scope
  • 32.
    VSHN - TheDevOps Company ● Prometheus ○ time series database ○ open source / CNCF-project ○ well-integrated in docker/kubernetes stats ● NewRelic APM ○ application-level profiling ○ performance tracking ○ exception tracking (backend & frontend) ○ available as SaaS 4444 Metrics: Prometheus / NewRelic
  • 33.
    VSHN - TheDevOps Company ● Developer and Operator of Banking Software used by ~100 Banks ● Based in Lenzburg, Switzerland ● Founded 1974 ● ~400 Employees Example: Finnova AG Bankware
  • 34.
    Hier steht derPräsentationstitel I 47
  • 35.
    VSHN - TheDevOps Company 48 Deployment Process & Security DEV (Repository) Files (Pods) Docker Images Container (OpenShift) Betrieb AM Seewen (PRD) GitHub Code Image-Scan (Security & Compliance Policies) » Code Analyse » Image Scanning » Container Hardening Runtime » Network Security » Monitoring » Logging & Reporting » Code Security » Access » Security & Auditing SecurityDeployment
  • 36.
    VSHN - TheDevOps Company 49 Architecture and Security
  • 37.
    VSHN - TheDevOps Company ● “Full Stack Audit” ● Review design document ● Every layer was custom built ○ physical hardware ○ handcrafted servers ○ manual application deployment ● Review each layer ● Review each layer again next year... 5050 Traditional IT governance
  • 38.
    VSHN - TheDevOps Company ● Standardized components ○ already audited, some even externally certified ○ re-used, economies of scale, CMMI level 5 ○ tech controls (AAI, RBAC, logs/SIEM) implemented once ○ financial controls implemented once ● Infrastructure: private/public cloud ● Ops: Container orchestration platform ● Review design document & platform configuration 5151 Cloud native IT governance
  • 39.
    VSHN - TheDevOps Company ● prevent configuration drift ○ immutable (application) infrastructure using containers ○ deploy dev/test/stage/prod envs from CI/CD ● prevent manual errors ○ validate configuration in CI/CD before deployment ○ standardization on (minimal, hardened) OS and container orchestrator ○ deployment automation removes need for (most) root prod access ● security by default ○ image scanning, dependency vulnerability management ○ process/storage/network separation of applications/environments ○ volumes & ingresspoints best practice (documentation, monitoring, backup, SSL/TLS/WAF) ○ AAI for admin & application, audit trail logging of CI/CD, control & application planes ○ key & secrets management ● 5252 IT governance controls in container platforms
  • 40.
    VSHN - TheDevOps Company ● compute resources billable by project ● self-service-onboarding possible ● autoscaling, scale-down dev envs outside office hours ● vendor procurement/due diligence/certification management ● SLA, 24x7, service process, escalation management clearly defined 5353 IT governance financial/compliance controlling
  • 41.
    VSHN - TheDevOps Company DevSecOps principles 5454
  • 42.
    VSHN - TheDevOps Company ● Please get in touch with feedback ● Twitter: @aarnoaukia ● Linkedin: https://www.linkedin.com/in/aukia/ ● Email: aarno.aukia@vshn.ch 5555 Thank you
  • 43.
    Come visit usfor a coffee! VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - info@vshn.ch https://vshn.ch/kontakt/ Follow us on Twitter! @vshn_ch 56