The document discusses the growing interest in integrating security into DevOps, highlighting the importance of training and designing systems that account for human behavior. It outlines the evolution of security risks from 2007 to 2017 as identified by OWASP and introduces the concept of DevSecOps with a focus on automation, supply chain security, and effective logging and monitoring. Key recommendations include securing deployment pipelines, implementing robust secrets management, and promoting quality assurance measures throughout the software development lifecycle.

2. ●
●
●
●
●

3. “In the past 12 months at Gartner, how to securely integrate
security into DevOps — delivering DevSecOps — has been one of
the fastest-growing areas of interest of clients, with more than
600 inquiries across multiple Gartner analysts in that time frame”
- Ian Head & Neil MacDonald, Dec 2017.
https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/

4. IT’S THEM PESKY HUMANS?
WE NEED TO MAKE THEM SMARTER.
RIGHT?

5. OWASP TOP 10
2007
Cross-site scripting (XSS)
Injection flaws
Malicious file execution
Insecure direct object reference
Cross-site request forgery (CSRF)
Information leakage & improper error handling
Broken authentication & session management
Insecure cryptographic storage
Insecure communications
Failure to restrict URL access

6. OWASP TOP 10
2017 RC2
Injection
Broken authentication
Sensitive data exposure
XML External Entities (XXE)
Broken access control
Security misconfiguration
Cross-site scripting (XSS)
Insecure deserialization
Using components with known vulnerabilities
Insufficient logging & monitoring
2007
Cross-site scripting (XSS)
Injection flaws
Malicious file execution
Insecure direct object reference
Cross-site request forgery (CSRF)
Information leakage & improper error handling
Broken authentication & session management
Insecure cryptographic storage
Insecure communications
Failure to restrict URL access

7. “Education and awareness are
not the only answer for security.
You need to design around
humans. ”
- Theresa Payton, former
White House CIO and star of
Hunted. Nov. 2018

8. EVOLVING RISK MANAGEMENT

9. Reuse
AutomationMicroservices Immutability
Pervasive access
Speed
Rapid tech churn
Flexible deploys
Containers
Software-defined
MANA
MANAGED RISK
Dev Ops

10. DevSecOps - Traditional and Cloud Native
# _

11. DevSecOps the open source way
APPLICATION PIPELINE
DEPLOYMENT INFRASTRUCTURE PIPELINE
DEVELOPMENT TEST ENVS. PRODUCTION
DEV
MONITORINGANDLOGGING
SUPPLY CHAIN IMAGES & ARTIFACTS
Write App
Code
Build App Unit Test
Package
App
Deploy
App
Write Infa
Code
Build
Images
Validate
Infra
Automate
Infra
Deploy
Infra
OPS

12. 12
DEPLOYMENT
PIPELINE

13. Application Build Secure CI/CD Pipeline
Application
Build
Code
Quality
Scanning
Image
Build
Image
Scanning
Tests Production
Deployment
DEPLOYMENTPIPELINE

14. Pipeline deployed securely
SysDig
Twistlock
SonatypeSonatype
DEPLOYMENTPIPELINE

15. 15
SUPPLY CHAIN

16. ● Community leadership
● Package selection
● Manual inspection
● Automated inspection
● Packaging guidelines
● Trusted builds
Upstream
Community
projects
Enterprise
products
Customers
SUPPLY CHAIN SECURITY
● Quality assurance
● Certifications
● Signing
● Distribution
● Support
● Security updates/patches
SUPPLYCHAIN

17. ENTERPRISE REGISTRIES
● Geo-replication and HA
● Access controls
● Remote metadata inspection
● Automated builds
● Security scans
SKOPEO
Image
Repository
Image
Registry
Host
/var/lib/containers
/var/lib/docker
SUPPLYCHAIN

18. 18
DEPLOYMENT
ENVIRONMENTS

19. IMMUTABLE CONTAINER INFRASTRUCTURE
● Minimal Linux distribution
● Optimized for running containers
● Decreased attack surface
● Over-the-air automated updates
● Bare-metal and cloud host configuration
DEPLOYMENTENV.

20. Security features include
● Role-based Access Controls with
LDAP and OAuth integration
● Secure communication
● Logging, Monitoring, Metrics
SECURING THE CONTAINER PLATFORM
101010101010101010
101010101010101010
101010101010101010
10101011010
● Multitenancy via Project namespaces and
integrated SDN (Kube CNI plug-in)
● Integrated & extensible secrets management
DEPLOYMENTENV.

21. ● Secure mechanism for holding sensitive data e.g.
○ Passwords and credentials
○ SSH Keys
○ Certificates
● Secrets are made available as
○ Environment variables
○ Volume mounts
○ Interaction with external systems (e.g. vaults)
● Encrypted in transit and at rest
● Never rest on the nodes
SECRETS MANAGEMENT
DEPLOYMENTENV.

22. DEPLOYMENTENV.
NETWORK DEFENSE
NETWORK SERVICES
STORAGE SERVICES
APPLICATION NETWORKOPERATIONS NETWORKPUBLIC NETWORK
CLOUD PLATFORM SERVICES
DNS LOAD BALANCING DIRECTORY SERVICES
CONTAINER PLATFORM
APPLICATION NODESMASTER NODES INFRASTRUCTURE NODESBASTION HOST
Internet-accessible network that
supports user workloads
Private network for administration
and operations
Private network for inter-app and
inter-container communications

23. 23
LOGGING &
MONITORING

24. Logging
Events:
Cloud,
Host,
Container,
Application
Event and Log aggregation
Normalize and store
Visualize and Alert
MONITORINGANDLOGGING

25. Monitoring
MONITORINGANDLOGGING
Time
Key , Value

26. ● Secure the deployment pipeline
● Secure the supply chain
● Secure the deployment environment
● Log and monitor all the things
● Stop blaming the people

27. Follow me on twitter at @ghaff
http://www.bitmasons.com