Tej Luthra, profile picture
Uploaded byTej Luthra
PPTX, PDF255 views

Secure DevOPS Implementation Guidance

The document outlines the importance of integrating security into DevOps practices, referred to as Secure DevOps, emphasizing continuous integration, deployment, and the adoption of automated security measures. It highlights the growing necessity for organizations to address cybersecurity vulnerabilities within development processes, with specific predictions about the future state of DevSecOps initiatives. Recommendations include adopting an immutable infrastructure mindset and promoting a culture of security among development teams.

Embed presentation

Downloaded 13 times
Secure DevOps Awareness & a Guide to Practical Implementation BSides 2018 01 June 30, 2019 Merlin International, Inc.
Merlin International June 30, 2019 2 Tej Luthra VP Engineering CyberSecurity and Security Analytics At Merlin International, Tej Luthra is building and leading a development team responsible for the integration of existing technologies and the development of new solutions that address organizations’ most pressing cybersecurity challenges. Devesh Arora Dir. Engineering Software Development & Web Services At Merlin International, Devesh Arora is leading a team responsible for development of front-end & microservices along with the secure DevOps strategy and implementation.
June 30, 2019 3 Agenda
Opportunity June 30, 2019 4 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.Opportunity January 16, 2019 4 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.
What is DevOPS June 30, 2019 5 Secure DevOps DevOps is agile on steroids As a methodology to build software fast Accelerates the velocity with which products are deployed to customers DevOps begins with all things continuous • Continuous Integration (CI) is the principle that code changes are checked into the source code repository in small batches • Continuous delivery and deployment are principles for how the results of testing are reviewed, and system automatically makes decision as to what to do with the build • Continuous Testing, Quality, Security, Governance, and so on …
Why DevOPS June 30, 2019 6 Secure DevOps Businesses need to accelerate the delivery of applications Focuses on quickly moving new features out to the customers Give Dev teams capability to deploy quickly and continuously … and the responsibility to support code in production Tear down the traditional silos of IT, namely between development and operations Puppet Labs 200x increase in speed from code commit to deploy 30x more frequent deployments 60% fewer production failures Bank of America 6x reduction in production defects Ticket Master Reduced Mean Time to Repair by 90% Source: https://www.slideshare.net/AndersLundsgrd/the-devops-journey-in-an-enterprise-scania-swisscom-software-day-2016
The Ying and the Yang June 30, 2019 7 Secure DevOps Challenges organizations face • Adoption of DevOps practices introduces complications • Auditing standardized security controls • Constantly changing assets with CD • Segregation of duties • Tracking cloud assets, extreme virtualization • DHCP logging or NAC/802,1x • Especially when controlled by 3rd party And there are opportunities • Focus on fast deployment, continual improvement, and automation • Naturally forces collaboration with teams • Avoids last-minute manual audits • Continuously TVM Shift Left • Security teams engaged early • Design, Deploy, Security Reviews • Ability to influence future heartburns • Deploy small changes • With reduced risk • Enforces standardized configurations • Logging, alerting and security metrics
The full end-to-end product lifecycle June 30, 2019 8 Secure DevOps
Build & Unit Tests Containerize Package Code Commit Code quality Scan Continuous Integration Frequent Code Check-ins Focus on Code Quality Automated Tests Find & Fix Bugs/Issues Soon Continuous Integration Secure DevOps June 30, 2019
Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional | Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod C o d e P r o m o t i o n Manual Continuous Delivery Release Management Logging & Monitoring Secure DevOps June 30, 2019
Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional | Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod A u t o m a t e d C o d e P r o m o t i o n Continuous Deployment Release Management Logging & Monitoring Secure DevOps June 30, 2019
Route to Secure DevOPS 6/30/2019 12 Secure DevOps Why • Criminals & hackers focus on weakness • A part of your security strategy • Constantly Evaluate Business Risks • Federal, State, Local, Regulatory Challenges • Believed too costly • Split between Functionality and Speed • Private / Behind a firewall • Find and Fix • Tools and Resources Considerations • Risk Assessments • Policy – Procedures – Processes • Regulatory – PCI, HIPAA, FISMA • Physical Infrastructure • Methodology • Data Strategy • Threat Modeling • Testing Source: https://www.cisecurity.org/webinar/foundations-of-an-application-security-program/
Security lifecycle in DevOPS June 30, 2019 14 Common action items including static & dynamic code analysis, vulnerability scanning, anti- virus scans, and other similar integrity functions The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization Secure DevOps NIST 800-115: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
Common Requirements June 30, 2019 15 Access Control Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Security Assessment System & Comm. Protection System & Information Integrity Secure DevOps
Guidance June 30, 2019 16 Secure DevOps Refine information security objectives for adoption Integrate continuous security assurance seamlessly into CI/CD toolchain Perfect security is impossible. Zero risk is impossible The entire DevOps life cycle needs to be secured Address Risk with continuous run time assessment, augment with existing cybersecurity framework
June 30, 2019 17 Secure DevOps Identify known vulnerabilities Use of reusable libraries and frameworks The amount of custom code is reducing considerably Open-source software (OSS) presents a unique challenge
Secure Configurations for HW & SW June 30, 2019 18 Known vulnerabilities Use custom hardened system images Center for Internet Security (CIS) CICD Tools simplify process of rolling out Secure DevOps
Automated Deployment of Infrastructure and Software June 30, 2019 19 Use blue-green deployment scenario Same principles apply to “infrastructure as code” Early adopter scenarios Secure DevOps
Continuous Vulnerability Assessment and Remediation June 30, 2019 20 Secure DevOps Keep up with new Vulnerabilities Reuse of Automation Framework AB Testing and Blue Green Deployment Scanning during Development 37 Vulnerabilities Return time 15 ms # errros/1000: 300 Visits / user 50 2 Vulnerabil ities Return time 25 ms # errros/1000 : 100 Visits / user 150 Patch Set A: Patch Set B:
Application Software Security June 30, 2019 21 Vulnerabilities found in 98% of apps Security assessments CICD Tools Advantages Run Additional Test in Staging in parallel Secure DevOps Trustwave Global Security Report
Controlled Use of Administrative Privileges June 30, 2019 22 The DevOps model Controlling administrative credentials becomes even more important In an “infrastructure as code” environment, the code itself acts as a privileged user Other systems provide ways to manage their own secrets Lack more advanced features Secure DevOps
OWASP Top 10 Project Guidelines June 30, 2019 23 Secure DevOps •Threat modeling scenarios SQL injection Cross-site scripting Cross-site request forgery Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Embedded keys or credentials in the application System patching Target high value assets
Tooling that can help June 30, 2019 24 Identify actual and potential coding issues, including those identified in OWASP YASCA, HP Fortify, IBM AppScan, VisualCodeGrepper, Nessus, OpenSCAP, Black Duck, SonarQube …. Secure DevOps BlackDuck • scans and manages opensource software • supports mixed LDAP/DB auth, • good UI LAPSE • OWASP Security Scanner • Java EE Nessus • system vulnerabilities • missing patches • non- compliant system configurations OpenScap • utilizes XCCDF • system configurations for the operating system against an established checklist profile ClamAV • antivirus scanner for Linux operating systems Windows Defender • antivirus scanner for Windows operating systems Note: This is not an endorsement of any tools. The reader is encouraged to evaluate each tool independently.
Recommendations June 30, 2019 25 Adopt an immutable Infrastructure Mindset Integrate security and compliance testing seamlessly into DevSecOps Scan for and remove known vulnerabilities and misconfigurations Scale your information security team into DevOps Treat all automation scripts, templates, images and blueprints with the same level of assurance Train individuals and establish good communication Identify and report on Business Risks Create a culture of Security, incorporate Static and Dynamic Testing Secure DevOps
Conclusion June 30, 2019 26 Security is not an afterthought Integrating security into DevOps requires changing mindsets Information security must adapt to development processes and tools Regulated environment, DevOPS needs to evolve quickly Host of new security tools adapted for DevOps environments There is need for Best Practices Secure DevOps
Thank You tluthra@merlin-intl.com darora@merlin-intl.com

More Related Content

PDF
API Security Best Practices and Guidelines
byWSO2
 
PPTX
Secure coding practices
byScott Hurrey
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PDF
Developing a Testing Strategy for DevOps Success
byDevOps.com
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PPTX
The Path to IAM Maturity
byJerod Brennen
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PDF
Identity and Access Management 101
byJerod Brennen
 
API Security Best Practices and Guidelines
byWSO2
 
Secure coding practices
byScott Hurrey
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Developing a Testing Strategy for DevOps Success
byDevOps.com
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
The Path to IAM Maturity
byJerod Brennen
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
Identity and Access Management 101
byJerod Brennen
 

What's hot

PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PPTX
API Security Fundamentals
byJosé Haro Peralta
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PPTX
Getting Started with API Security Testing
bySmartBear
 
PPTX
Understanding Zero Trust Security for IBM i
byPrecisely
 
PPTX
1. 아키텍쳐 설계 프로세스
byTerry Cho
 
PPTX
POSTMAN.pptx
byRamaKrishna970827
 
PPTX
API Strategy Introduction
byDoug Gregory
 
PPTX
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 
PPTX
Microservices Architecture & Testing Strategies
byAraf Karsh Hamid
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PPTX
Zero trust deck 2020
byGuido Marchetti
 
PDF
Clean Infrastructure as Code
byQAware GmbH
 
PPTX
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
PDF
DevSecOps at Agile 2019
byElizabeth Ayer
 
PPTX
Code Review Best Practices
byTrisha Gee
 
PDF
Postman
byIgor Shubovych
 
PDF
Unit and integration Testing
byDavid Berliner
 
PPTX
RESTful API Testing using Postman, Newman, and Jenkins
byQASymphony
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
API Security Fundamentals
byJosé Haro Peralta
 
Api security-testing
byn|u - The Open Security Community
 
Getting Started with API Security Testing
bySmartBear
 
Understanding Zero Trust Security for IBM i
byPrecisely
 
1. 아키텍쳐 설계 프로세스
byTerry Cho
 
POSTMAN.pptx
byRamaKrishna970827
 
API Strategy Introduction
byDoug Gregory
 
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 
Microservices Architecture & Testing Strategies
byAraf Karsh Hamid
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
Zero trust deck 2020
byGuido Marchetti
 
Clean Infrastructure as Code
byQAware GmbH
 
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
DevSecOps at Agile 2019
byElizabeth Ayer
 
Code Review Best Practices
byTrisha Gee
 
Postman
byIgor Shubovych
 
Unit and integration Testing
byDavid Berliner
 
RESTful API Testing using Postman, Newman, and Jenkins
byQASymphony
 

Similar to Secure DevOPS Implementation Guidance

PDF
The What, Why, and How of DevSecOps
byCprime
 
PPTX
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PDF
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
PDF
5 principles-securing-devops-veracode-whitepaper
bywardell henley
 
PPTX
SecDevOps: The New Black of IT
byCloudPassage
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PPTX
Shift Left for More Secure Apps with F5 NGINX
byNGINX, Inc.
 
PPTX
Are your DevOps and Security teams friends or foes?
byReuven Harrison
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PPTX
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
PPTX
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PDF
You build it - Cyber Chicago Keynote
byJohn Willis
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
PDF
Why does security matter for devops by Caroline Wong
byDevSecCon
 
PPTX
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
The What, Why, and How of DevSecOps
byCprime
 
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
5 principles-securing-devops-veracode-whitepaper
bywardell henley
 
SecDevOps: The New Black of IT
byCloudPassage
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
Shift Left for More Secure Apps with F5 NGINX
byNGINX, Inc.
 
Are your DevOps and Security teams friends or foes?
byReuven Harrison
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
Scale security for a dollar or less
byMohammed A. Imran
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
You build it - Cyber Chicago Keynote
byJohn Willis
 
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
Why does security matter for devops by Caroline Wong
byDevSecCon
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 

Recently uploaded

PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
Governing Agentic Enterprise - From Shadow AI to Autonomous Security.pdf
bysajjasridhar1990
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PPTX
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
PDF
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
PDF
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
PPTX
Oracle SCM Cloud Solutions for Smart Supply Chain Management
byChetu
 
PDF
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
PPTX
How Blockchain Application Development Enables Trustless Digital Ecosystems.pptx
byLisa ward
 
PDF
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
PPTX
02_Extended Warehouse Management Functions and Features.pptx
byUdayakumar218983
 
PPTX
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PDF
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
PPTX
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
PPT
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Governing Agentic Enterprise - From Shadow AI to Autonomous Security.pdf
bysajjasridhar1990
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
Oracle SCM Cloud Solutions for Smart Supply Chain Management
byChetu
 
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
How Blockchain Application Development Enables Trustless Digital Ecosystems.pptx
byLisa ward
 
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
02_Extended Warehouse Management Functions and Features.pptx
byUdayakumar218983
 
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 

Secure DevOPS Implementation Guidance

  • 1.
    Secure DevOps Awareness &a Guide to Practical Implementation BSides 2018 01 June 30, 2019 Merlin International, Inc.
  • 2.
    Merlin International June 30, 20192 Tej Luthra VP Engineering CyberSecurity and Security Analytics At Merlin International, Tej Luthra is building and leading a development team responsible for the integration of existing technologies and the development of new solutions that address organizations’ most pressing cybersecurity challenges. Devesh Arora Dir. Engineering Software Development & Web Services At Merlin International, Devesh Arora is leading a team responsible for development of front-end & microservices along with the secure DevOps strategy and implementation.
  • 3.
    June 30, 20193 Agenda
  • 4.
    Opportunity June 30, 20194 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.Opportunity January 16, 2019 4 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.
  • 5.
    What is DevOPS June30, 2019 5 Secure DevOps DevOps is agile on steroids As a methodology to build software fast Accelerates the velocity with which products are deployed to customers DevOps begins with all things continuous • Continuous Integration (CI) is the principle that code changes are checked into the source code repository in small batches • Continuous delivery and deployment are principles for how the results of testing are reviewed, and system automatically makes decision as to what to do with the build • Continuous Testing, Quality, Security, Governance, and so on …
  • 6.
    Why DevOPS June 30,2019 6 Secure DevOps Businesses need to accelerate the delivery of applications Focuses on quickly moving new features out to the customers Give Dev teams capability to deploy quickly and continuously … and the responsibility to support code in production Tear down the traditional silos of IT, namely between development and operations Puppet Labs 200x increase in speed from code commit to deploy 30x more frequent deployments 60% fewer production failures Bank of America 6x reduction in production defects Ticket Master Reduced Mean Time to Repair by 90% Source: https://www.slideshare.net/AndersLundsgrd/the-devops-journey-in-an-enterprise-scania-swisscom-software-day-2016
  • 7.
    The Ying andthe Yang June 30, 2019 7 Secure DevOps Challenges organizations face • Adoption of DevOps practices introduces complications • Auditing standardized security controls • Constantly changing assets with CD • Segregation of duties • Tracking cloud assets, extreme virtualization • DHCP logging or NAC/802,1x • Especially when controlled by 3rd party And there are opportunities • Focus on fast deployment, continual improvement, and automation • Naturally forces collaboration with teams • Avoids last-minute manual audits • Continuously TVM Shift Left • Security teams engaged early • Design, Deploy, Security Reviews • Ability to influence future heartburns • Deploy small changes • With reduced risk • Enforces standardized configurations • Logging, alerting and security metrics
  • 8.
    The full end-to-endproduct lifecycle June 30, 2019 8 Secure DevOps
  • 9.
    Build & Unit Tests Containerize Package Code Commit Codequality Scan Continuous Integration Frequent Code Check-ins Focus on Code Quality Automated Tests Find & Fix Bugs/Issues Soon Continuous Integration Secure DevOps June 30, 2019
  • 10.
    Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional| Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod C o d e P r o m o t i o n Manual Continuous Delivery Release Management Logging & Monitoring Secure DevOps June 30, 2019
  • 11.
    Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional| Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod A u t o m a t e d C o d e P r o m o t i o n Continuous Deployment Release Management Logging & Monitoring Secure DevOps June 30, 2019
  • 12.
    Route to SecureDevOPS 6/30/2019 12 Secure DevOps Why • Criminals & hackers focus on weakness • A part of your security strategy • Constantly Evaluate Business Risks • Federal, State, Local, Regulatory Challenges • Believed too costly • Split between Functionality and Speed • Private / Behind a firewall • Find and Fix • Tools and Resources Considerations • Risk Assessments • Policy – Procedures – Processes • Regulatory – PCI, HIPAA, FISMA • Physical Infrastructure • Methodology • Data Strategy • Threat Modeling • Testing Source: https://www.cisecurity.org/webinar/foundations-of-an-application-security-program/
  • 13.
    Security lifecycle inDevOPS June 30, 2019 14 Common action items including static & dynamic code analysis, vulnerability scanning, anti- virus scans, and other similar integrity functions The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization Secure DevOps NIST 800-115: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
  • 14.
    Common Requirements June 30,2019 15 Access Control Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Security Assessment System & Comm. Protection System & Information Integrity Secure DevOps
  • 15.
    Guidance June 30, 201916 Secure DevOps Refine information security objectives for adoption Integrate continuous security assurance seamlessly into CI/CD toolchain Perfect security is impossible. Zero risk is impossible The entire DevOps life cycle needs to be secured Address Risk with continuous run time assessment, augment with existing cybersecurity framework
  • 16.
    June 30, 201917 Secure DevOps Identify known vulnerabilities Use of reusable libraries and frameworks The amount of custom code is reducing considerably Open-source software (OSS) presents a unique challenge
  • 17.
    Secure Configurations forHW & SW June 30, 2019 18 Known vulnerabilities Use custom hardened system images Center for Internet Security (CIS) CICD Tools simplify process of rolling out Secure DevOps
  • 18.
    Automated Deployment ofInfrastructure and Software June 30, 2019 19 Use blue-green deployment scenario Same principles apply to “infrastructure as code” Early adopter scenarios Secure DevOps
  • 19.
    Continuous Vulnerability Assessmentand Remediation June 30, 2019 20 Secure DevOps Keep up with new Vulnerabilities Reuse of Automation Framework AB Testing and Blue Green Deployment Scanning during Development 37 Vulnerabilities Return time 15 ms # errros/1000: 300 Visits / user 50 2 Vulnerabil ities Return time 25 ms # errros/1000 : 100 Visits / user 150 Patch Set A: Patch Set B:
  • 20.
    Application Software Security June30, 2019 21 Vulnerabilities found in 98% of apps Security assessments CICD Tools Advantages Run Additional Test in Staging in parallel Secure DevOps Trustwave Global Security Report
  • 21.
    Controlled Use ofAdministrative Privileges June 30, 2019 22 The DevOps model Controlling administrative credentials becomes even more important In an “infrastructure as code” environment, the code itself acts as a privileged user Other systems provide ways to manage their own secrets Lack more advanced features Secure DevOps
  • 22.
    OWASP Top 10Project Guidelines June 30, 2019 23 Secure DevOps •Threat modeling scenarios SQL injection Cross-site scripting Cross-site request forgery Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Embedded keys or credentials in the application System patching Target high value assets
  • 23.
    Tooling that canhelp June 30, 2019 24 Identify actual and potential coding issues, including those identified in OWASP YASCA, HP Fortify, IBM AppScan, VisualCodeGrepper, Nessus, OpenSCAP, Black Duck, SonarQube …. Secure DevOps BlackDuck • scans and manages opensource software • supports mixed LDAP/DB auth, • good UI LAPSE • OWASP Security Scanner • Java EE Nessus • system vulnerabilities • missing patches • non- compliant system configurations OpenScap • utilizes XCCDF • system configurations for the operating system against an established checklist profile ClamAV • antivirus scanner for Linux operating systems Windows Defender • antivirus scanner for Windows operating systems Note: This is not an endorsement of any tools. The reader is encouraged to evaluate each tool independently.
  • 24.
    Recommendations June 30, 201925 Adopt an immutable Infrastructure Mindset Integrate security and compliance testing seamlessly into DevSecOps Scan for and remove known vulnerabilities and misconfigurations Scale your information security team into DevOps Treat all automation scripts, templates, images and blueprints with the same level of assurance Train individuals and establish good communication Identify and report on Business Risks Create a culture of Security, incorporate Static and Dynamic Testing Secure DevOps
  • 25.
    Conclusion June 30, 201926 Security is not an afterthought Integrating security into DevOps requires changing mindsets Information security must adapt to development processes and tools Regulated environment, DevOPS needs to evolve quickly Host of new security tools adapted for DevOps environments There is need for Best Practices Secure DevOps
  • 26.

Editor's Notes

  • #2 Ensuring the confidentiality, integrity and availability of digital assets in the cloud
  • #5 DevOPS practices presents a unique opportunity to deliver more secure code by integrating security practices into the pipeline. There is a wide variety of open source and commercial tools that allow the creation Secure DevOps pipelines that assist with the security and information assurance function. By integrating the performance of security testing and scanning as part of the build and deploy process, Secure DevOps allows the ability to deliver Continuous Information Assurance In the past 12 months at Gartner, how to securely integrate security into DevOps — delivering DevSecOps — has been one of the fastest-growing areas of interest of clients, with more than 600 inquiries across multiple Gartner analysts in that time frame. From conversations with clients and by analyzing successful DevSecOps initiatives, we have seen what works, what doesn't and which approaches have the most success.
  • #6 While DevOps may be overhyped, oversold, and oversubscribed right now, those who approach it as a journey, not a destination, are finding incredible business value. You’ve heard all the reasons why DevOps won’t work: issues with compliance, ITIL, security, production availability, architectural complexity, and so on. But the benefits it can deliver—faster delivery, quality, and security—are within reach. The question is, How do you start the move from silos to streamlined development pipelines? Application Packaging ensures that you have a trusted handoff between development teams and operations teams.  Developers can focus on what they do best, developing and maintaining their software. Operations can focus on what they do best, enforcing security and improving application deployment and management through orchestration and automation.  The Application Package ensures that you have a versionable, maintainable asset at the center of the process. Application Packaging is Application-Centric DevOps. Continuous Integration/Continuous Deployment (CI/CD) reducing the time and effort it takes to test and deploy code into production rapid automation enabled by cloud platforms and cloud native technologies Don’t forget Continuous [ Testing (CT), Quality (CQ), Delivery (CDe), Security (CS)] Secure DevOPS help address the needs of regulation and compliance integration of security scans and reviews as part of the CICD process
  • #7 Businesses need to accelerate the delivery of applications Focuses on quickly moving new features out to the customers Not about specific tools, but improves adoption Bringing teams together, agile on steroids Organized not from a project delivery standpoint, but have a more product delivery focus Give Dev teams capability to deploy and the responsibility to support code in production Tear down the traditional silos of IT, namely between development and operations Aims at removing bottlenecks, conflicts, and risk from the lifecycle between business decision and customer outcome The 2015 Puppet Labs State of DevOps Report shows organizations achieving 200x increase in speed from code commit to deploy 30x more frequent deployments 60% fewer production failures Bank of America cites 6x reduction in production defects Ticketmaster Reduced their Mean Time to Repair by 90% Businesses are looking to accelerate the delivery of production quality software with fewer defects, and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common especially on cloud-based platforms. Adding security testing into the DevOps pipeline can help address the needs of regulated, compliance and public sector focused organizations. This white paper describes the use of open source technologies and commercial packages to design and deploy a Secure DevOps pipeline. Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others provide a robust SecDevOps implementation. Since the first DevOps Days conference was held in 2009, adoption of DevOps strategies has been growing rapidly, with 25% of global IT companies predicted to have moved towards DevOps by 2016 (Gartner, 2015). The very definition of DevOps is still evolving, but most agree it encompasses a set of cultural values in addition to the tools and practices that enable continuous delivery (Loukides, 2015). Continuous delivery provides a competitive advantage to software companies (Humble, 2014) by lowering the risk and cost associated with releases. It also enables near-immediate feedback on new features; practicing continuous delivery requires collaboration and empathy amongst the teams involved in the delivery process (Fowler, 2013). Configuration management systems automate the provisioning of new systems, enforcing consistent application installation, system and application configuration across classes of servers. The configuration information lives in a source code repository, and systems such as Chef, Puppet, Salt, or Ansible allow developers to treat the configuration of the servers that will run application software as code. This “infrastructure as code” can itself be versioned and tested, providing assurances that identical configurations will be in place everywhere, and improving the odds that software that tested fine in the staging system will be fine in production as well (Riley, 2014). Finally, an automated system for reliably moving software through the build -> deploy -> test -> release process is the key component (Humble & Farley, 2010) in any DevOps system. Continuous integration tools such as Jenkins make a formerly slow and error-prone task easy and repeatable, enabling the deployment of small changes and giving fast feedback about how the code operates and what customers think about new features. DevOps is becoming the preferred approach for the rapid development and continuous delivery of these new IT-enabled capabilities. Implemented correctly, DevOps offers IT organizations improved speed of development by embracing a collaborative philosophy that tears down traditional silos of development and operations. However, in most cases, security and compliance have been afterthoughts to DevOps.
  • #8 Challenges organizations face Adoption of DevOps practices introduces complications Implementing and auditing standardized security controls Presenting issues such as constantly changing assets, continuous deployment Breakdown in traditional segregation of duties Tracking cloud assets, extreme virtualization DHCP logging or NAC/802,1x Especially when controlled by 3rd party And there are opportunities Focus on fast deployment, continual improvement, and automation Naturally forces collaboration with security teams Avoid last-minute manual audits and reviews Review various threats & vulnerabilities continuously Shift Left Security teams engaged early in the design process to ensure ability to deploy continuously and securely Reduces risk by deploying small changes rather than large complex ones Enforces standardized configurations for logging, alerting and security metrics
  • #10 Create the supporting CI pipeline to ensure that the necessary resources are in place before development begins. Include stakeholders from all the engineering disciplines such as development, test, data management, I&O and security as you develop each CI pipeline. Build a CI pipeline by specifying the desired outcomes to be achieved and the required artifacts to be generated. Assess and document current build processes and infrastructure. Periodically revisit these two steps to ensure that the CI pipeline continues to deliver the necessary results. Establish baseline metrics — such as frequency and execution time of application builds, build and deployment failures, and repeated errors — before integrating each application. Gather and monitor these metrics to evaluate the success of each change, and adapt when changes to the process don't deliver the expected benefits. Choose an application with established (but not yet automated) build and deployment processes as your pilot. As the process matures, review the application portfolio and expand the use of CI to applications that will benefit the most.
  • #11 Begin each software development project by first creating the supporting CI pipeline to ensure that the necessary resources are in place before development begins. Begin the process of building your CI pipeline by specifying the desired outcomes to be achieved and the required artifacts to be generated. Next, assess and document your current build process and infrastructure. Use the first two steps to redesign your process to ensure that the CI pipeline delivers the necessary results. Establish baseline metrics — such as frequency and execution time of application builds, build and deployment failures, and repeated errors — before integrating each application, and monitor those metrics throughout the application life cycle. Use the baseline metrics to evaluate the success of each change, and adapt when changes to the process don't deliver the expected benefits. Choose an application with established (but not yet automated) build and deployment processes as your pilot. As the process matures, expand the process to other applications that are supported by your development organization.
  • #13 Why Criminals & hackers focus on weakness Leads to breaches A part of your security strategy Constantly Evaluate Business Risks Federal, State, Local, Regulatory Challenges Believed too costly Split between Functionality and Speed Private / Behind a firewall Find and Fix Tools and Resources Considerations Risk Assessments Policy – Procedures – Processes Regulatory – PCI, HIPAA, FISMA Physical Infrastructure Methodology Data Strategy Mapping, Collection, Storage, Cleaning Decommissioning and Retention Threat Modeling Testing
  • #15 Challenges audit of a security program relative immaturity and lack of corporate backing Tools new to the market or are open-sourced reliance on IaaS and PaaS reduces control and visibility at the hardware and network layer the flexibility of Cloud providers to quickly scale up and down Make them attractive in DevOps environments The CI/CD or DevOps Security lifecycle begins with code development and integration. As the code is committed for deployment, the CI/CD security processes are activated. Common action items including static code analysis, vulnerability scanning, anti-virus scans and other similar integrity functions. The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization. In order to comply with NIST requirements for applying secure engineering principles, application developers should utilize code analysis utilities to ensure safe coding practices are followed. Project teams should leverage code analysis utilities as early as possible in the development lifecycle. the project will experience fewer delays and incidents of rework due to flaws and other security concerns At a minimum, code analysis should be performed as code modules are completed, but it is not necessary for modules to be completely finished for code review to be useful. Commit Code to CI/CD s application code is committed to the CI/CD branch in the git repository CI/CD performs a security review utilizing automated static code analysis tools.
  • #16 Compliant Architecture Identify compliance & requirements first Select eligible services through trusted sources and suppliers Create cloud-native solution architecture Continuous Monitoring and Management Implement tools for governance, security and cloud operations Define processes and assign roles Define artifacts and operate against SLA’s Accreditations and Authorization Document system security plan Create security backlog in plan of actions and milestones Incident response plan
  • #17 Refine information security objectives for adoption Integrate continuous security assurance seamlessly into CI/CD toolchain Perfect security is impossible. Zero risk is impossible Bring continuous risk- and trust- based assessment Bring prioritization of application vulnerabilities The entire DevOps life cycle needs to be secured Including when new services are deployed into runtime operation Address Risk with continuous run time assessment, augment with Network- and host-based intrusion prevention systems (IPS) Web application firewalls (WAF) for protection against known vulnerabilities Runtime application self-protection Application monitoring and protection Botnet mitigation In-depth defense at the application layer
  • #18 Use of reusable libraries and frameworks This leads to a shift in focus for security scanning Majority risk can be addressed by identifying known vulnerabilities & misconfiguration Vulnerability assessment vendors are adapting their scanning capabilities Some toolchain element vendors like Docker are integrating this capability The importance of this best practice cannot be understated Breach at Equifax may have had a root cause of a known vulnerability issue in Apache Struts, as stated by Equifax. Likewise OpenSSL's Heartbleed Open-source software (OSS) presents a unique challenge The developer may simply cut and paste source code
  • #19 Once hardened configurations for operating systems and application components are developed, DevOps deployment tools and configuration management services like Puppet, Chef, Ansible and Salt greatly simplify the process of rolling these out to all systems and keeping the configurations in sync over time Docker and other container technologies are increasingly popular methods for deploying applications in DevOps environments, due to advantages in portability, efficiency in resource sharing and speed of deployment Docker also offers some security advantages, in the form of increased isolation of applications, particularly in multiWtenant environments Docker images, however, cannot be patched and updated or have running configuration changed on the fly; updated software or secure configuration must be baked in as part of the image build and new containers Deployed leading to situations where multiple container versions of varying security may be running https://www.cisecurity.org/benchmark/docker/
  • #20 Use blue-green deployment scenario Test and cutover with no downtime Subset of traffic may move to the green deployment Once traffic is fully cut over, the blue deployment gets decommissioned, or rollback Same principles apply to “infrastructure as code” Early adopter scenarios Used to turn new features on for particular sets of users Allow analysis of system or user behavior
  • #21 Continuous Vulnerability Assessment and Remediation Challenge: Keeping up with relentless pace of newlyWannounced vulnerabilities however, the focus on automation, testing, and continuous monitoring in DevOps environments can be advantageous; the same systems that allow automated deployments of new application code via thorough unit and functional testing provide a strong foundation for testing new patches Deployment strategies for BlueWGreen deployments and AWB testing allow gradual rollout and immediate feedback regarding issues and changes in system behavior Security scans that happen as part of the deployment process provide verification that updates address known issues and reach all intended targets
  • #22 Trustwave Global Security Report Vulnerabilities were found in 98% of the applications scanned Data leakage, cross-site scripting, SQL injection and authorization, among others Security assessments - PenTesting CICD Tools Advantages Jenkins, Hudson and similar tools provide easy support via plugins Code review and for running static analysis as part of the pipeline These acceptance tests should be designed to complete quickly and can be run before new code is even deployed to the integration/staging environment Further security testing, such as tests of security related functionality, vulnerability scanning, and application security scans can then be run in parallel to other acceptance testing within the staging environment
  • #23 In the DevOps model everyone has the potential to administer systems and debug production issues, controlling administrative credentials becomes even more important In a continuous deployment, “infrastructure as code” environment, the code itself acts as a privileged user These credential “secrets” must be used by the orchestration systems Secrets Management systems aim to role based access control and auditability to the DevOps system Configuration management systems like Chef and Puppet provide their own solutions for protecting secrets stored within the infrastructure code using public key encryption Kack more advanced features such as role based controlled access to the secrets, or full featured support for rotating passwords and SSH keys Secrets management systems like Hashicorp’s Vault and Conjur’s SSH Management solution provide methods to automatically provision temporary access via one-time passwords or SSH keys and to enable SSH key rotation for service accounts.
  • #24 When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard. The OWASP Top 10 Project and similar publicly available guidelines are a great start.3 The training should include: How to build and maintain simple threat modeling scenarios (thinking like a bad guy) Input whitelisting, filtering and sanitization for user input and files SQL injection Cross-site scripting Cross-site request forgery Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Why not to embed keys or credentials in the application code or scripts The importance of patching How and why hackers will target admins for credential theft and how to avoid this Plugins Grep Plugin. Uses external GREPfiles to scan target files for simple patterns. PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues. JLint Plugin. Uses J-Lint to scan Java .class files for issues. antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues. FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues. Lint4J Plugin. Uses Lint4J to scan Java .class files for issues. Yasca plugins implement five (5) severity levels: 1 – Critical, 2–High, 3 – Warning, 4–Low, 5 – Informational SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info
  • #25 https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security-tools/ When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard. The OWASP Top 10 Project and similar publicly available guidelines are a great start.3 The training should include: How to build and maintain simple threat modeling scenarios (thinking like a bad guy) Input whitelisting, filtering and sanitization for user input and files SQL injection Cross-site scripting Cross-site request forgery Injection Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Why not to embed keys or credentials in the application code or scripts The importance of patching How and why hackers will target admins for credential theft and how to avoid this Plugins Grep Plugin. Uses external GREPfiles to scan target files for simple patterns. PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues. JLint Plugin. Uses J-Lint to scan Java .class files for issues. antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues. FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues. Lint4J Plugin. Uses Lint4J to scan Java .class files for issues. Yasca plugins implement five (5) severity levels: 1 – Critical, 2–High, 3 – Warning, 4–Low, 5 – Informational SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info
  • #26 Adapt Your Security Testing Tools and Processes to the Developers, Not the Other Way Around Quit Trying to Eliminate All Vulnerabilities During Development Focus First on Identifying and Removing the Known Critical Vulnerabilities Don't Expect to Use Traditional DAST/SAST Without Changes Train All Developers on the Basics of Secure Coding, but Don't Expect Them to Become Security Experts Adopt a Security Champion Model and Implement a Simple Security Requirements Gathering Tool Eliminate the Use of Known Vulnerable Components at the Source Secure and Apply Operational Discipline to Automation Scripts Implement Strong Version Control on All Code and Components Adopt an Immutable Infrastructure Mindset Integrate security and compliance testing seamlessly into DevSecOps so that developers never have to leave their continuous integration or continuous deployment toolchain environment. Scan for known vulnerabilities and misconfigurations in all open-source and third-party components. Ideally, build out a complete bill of materials using software composition analysis. Trying to remove all unknown vulnerabilities in custom code, which increases false positives Scale your information security team into DevOps by using a security champion model. Treat all automation scripts, templates, images and blueprints with the same level of assurance that you would treat any source code.
  • #27 Integrating security into DevOps to deliver "DevSecOps" requires changing mindsets, processes and technology Security and risk management leaders must adhere to the collaborative, agile nature of DevOps to be seamless and transparent in the development process, making the Sec in DevSecOps silent. If adopting a DevOPS framework, Information security must adapt to development processes and tools, not the other way around. But it doesn’t mean Organizations producing new applications and services using DevOps have the same responsibility to produce secure and compliant code as required by any other application. The success of the DevOps movement means that DevOps practices are being adopted by diverse organizations, from small startups to Fortune 500 companies. As the movement matures, security is no longer an afterthought and consensus is building about the right ways to integrate security best practices into the DevOps cultural and technical evolution. explosion in the numbers of tools available to help secure DevOps environments, from repository firewalls (Weeks, 2015) to new application scanners and security functional test infrastructures (DeVries, 2015), to new SSH Management solutions and the ability to scan Docker containers (Doran, 2015). DevOps philosophy and the typical microservices architecture is the freedom to choose the tools that are best for a particular culture and environment In a regulated environment, DevOps teams will need to involve security early in the process to ensure a smooth deployment for new features the opportunity for greater collaboration with security teams can only be a positive Step The glut of new security tools adapted for DevOps environments has the ability to provide new levels of visibility and automation for implementing security controls. Such new tools may not be fully mature, however, and may have flaws or lack features present in more established products. There is also a lack of precedent when it comes to using such tools for audit against security standards. As the shift towards DevOps continues, we can expect increased maturity for DevOps security tools and best practices that should make implementation of these important controls easier in the future. from a security perspective, this mindset can be advanced and has the potential to radically improve security by proactively "killing" workloads and replacing them with versions from a known good state