Secure DevOPS Implementation Guidance
•Download as PPTX, PDF•
0 likes•32 views
The document provides an overview of secure DevOps practices including: - Integrating security into the software development lifecycle from design through deployment. - Using automation and continuous integration/delivery practices to continuously assess and remediate vulnerabilities. - Implementing secure configurations for hardware and software and keeping systems updated with the latest patches. - Performing security testing using tools that can identify vulnerabilities during the development process. - Controlling administrative privileges and secrets management in an "infrastructure as code" environment.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Secure DevOPS Implementation Guidance
Similar to Secure DevOPS Implementation Guidance (20)
Recently uploaded
Recently uploaded (20)
Secure DevOPS Implementation Guidance
- 1. Tej Luthra, VP Engineering, Product Development Secure DevOPS Awareness & a Guide to Practical Implementation Devesh Arora, Director of Engineering, Product Development
- 2. Secure DevOPS: Awareness & a Guide to Practical Implementation Merlin International June 30, 2019 2 Enables Veterans Affairs with an IoT cybersecurity solution for 1.65 million network-connected devices Supports Department of Defense with day-to-day network operations Helps federal agencies with secure, economical, and environmentally friendly consolidated data center services Enables HHS CSIRC to build an enterprise-wide view of cybersecurity for rapid threat assessment and disposition
- 3. Secure DevOPS: Awareness & a Guide to Practical Implementation Agenda
- 4. Secure DevOPS: Awareness & a Guide to Practical Implementation What is DevOPS DevOps is agile on steroids As a methodology to build software fast Accelerates the velocity with which products are deployed to customers DevOps begins with all things continuous •Continuous Integration (CI) is the principle that code changes are checked into the source code repository in small batches •Continuous delivery and deployment are principles for how the results of testing are reviewed, and system automatically makes decision as to what to do with the build •Continuous Testing, Quality, Security, Governance, and so on …
- 5. Secure DevOPS: Awareness & a Guide to Practical Implementation Businesses need to accelerate the delivery of applications Focuses on quickly moving new features out to the customers Give Dev teams capability to deploy quickly and continuously … and the responsibility to support code in production Tear down the traditional silos of IT, namely between development and operations Puppet Labs 200x increase in speed from code commit to deploy 30x more frequent deployments 60% fewer production failures Bank of America 6x reduction in production defects Ticket Master Reduced Mean Time to Repair by 90% Source: https://www.slideshare.net/AndersLundsgrd/the-devops-journey-in-an-enterprise-scania-swisscom-software-day-2016 Why DevOPS
- 6. Secure DevOPS: Awareness & a Guide to Practical Implementation Route to Secure DevOPSWhy • Criminals & hackers focus on weakness • A part of your security strategy • Constantly Evaluate Business Risks • Federal, State, Local, Regulatory Challenges • Believed too costly • Split between Functionality and Speed • Private / Behind a firewall • Find and Fix • Tools and Resources Considerations • Risk Assessments • Policy – Procedures – Processes • Regulatory – PCI, HIPAA, FISMA • Physical Infrastructure • Methodology • Data Strategy • Threat Modeling • Testing Source: https://www.cisecurity.org/webinar/foundations-of-an-application-security-program/
- 7. Secure DevOPS: Awareness & a Guide to Practical Implementation Security within the end-to-end product lifecycle Continuous Integration Continuous Deployment and Delivery Continuous Security Feedback Security Considerations Design and Tested Security hardened Security controls Monitoring
- 8. Secure DevOPS: Awareness & a Guide to Practical Implementation Common Requirements • Access Control • Audit and Accountability • Configuration Management • Identification and Authentication • Incident Response • Maintenance • Media Protection • Personnel Security • Physical Protection • Security Assessment • System & Comm. Protection • System & Information Integrity
- 9. Secure DevOPS: Awareness & a Guide to Practical Implementation Identify known vulnerabilities Use of reusable libraries and frameworks The amount of custom code is reducing considerably Open-source software (OSS) presents a unique challenge
- 10. Secure DevOPS: Awareness & a Guide to Practical Implementation Secure Configurations for HW & SW Known vulnerabilities Use custom hardened system images Center for Internet Security (CIS) CICD Tools simplify process of rolling out
- 11. Secure DevOPS: Awareness & a Guide to Practical Implementation Continuous Vulnerability Assessment and Remediation Keep up with new Vulnerabilities Reuse of Automation Framework AB Testing and Blue Green Deployment Scanning during Development 37 Vulnerabilities Return time 15 ms # errros/1000: 300 Visits / user 50 2 Vulnera bilities Return time 25 ms # errros/10 00: 100 Visits / user 150 Patch Set A: Patch Set B:
- 12. Secure DevOPS: Awareness & a Guide to Practical Implementation Application Software Security Vulnerabilities found in 98% of apps Security assessments CICD Tools Advantages Run Additional Test in Staging in parallel Trustwave Global Security Report
- 13. Secure DevOPS: Awareness & a Guide to Practical Implementation Controlled Use of Administrative Privileges The DevOps model Controlling administrative credentials becomes even more important In an “infrastructure as code” environment, the code itself acts as a privileged user Other systems provide ways to manage their own secrets Lack more advanced features
- 14. Secure DevOPS: Awareness & a Guide to Practical Implementation OWASP Top 10 Project Guidelines •Threat modeling scenarios SQL injection Cross-site scripting Cross-site request forgery Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Embedded keys or credentials in the application System patching Target high value assets
- 15. Secure DevOPS: Awareness & a Guide to Practical Implementation Tooling that can help • Identify actual and potential coding issues, including those identified in OWASP • YASCA, HP Fortify, IBM AppScan, VisualCodeGrepper, Nessus, OpenSCAP, Black Duck, SonarQube …. BlackDuck • scans and manages opensource software • supports mixed LDAP/DB auth, • good UI LAPSE • OWASP Security Scanner • Java EE Nessus • system vulnerabilities • missing patches • non-compliant system configurations OpenScap • utilizes XCCDF • system configurations for the operating system against an established checklist profile ClamAV • antivirus scanner for Linux operating systems Windows Defender • antivirus scanner for Windows operating systems Note: This is not an endorsement of any tools. The reader is encouraged to evaluate each tool independently.
- 16. Secure DevOPS: Awareness & a Guide to Practical Implementation Conclusion Security is not an afterthought Integrating security into DevOps requires changing mindsets Information security must adapt to development processes and tools Regulated environment, DevOPS needs to evolve quickly Host of new security tools adapted for DevOps environments There is need for Best Practices
- 17. Secure DevOPS: Awareness & a Guide to Practical Implementation Thank you
Editor's Notes
- https://www.forbes.com/sites/stevedenning/2016/08/13/what-is-agile/ Agile’s emergence as a huge global movement extending beyond software is driven by the discovery that the only way for organizations to cope with today’s turbulent customer-driven marketplace is to become Agile. Agile enables organizations to master continuous change. It permits firms to flourish in a world that is increasingly volatile, uncertain, complex and ambiguous. “What if we could create workplaces that drew on all the talents of those doing the work? What if those talents were totally focused on delivering extraordinary value to the customers and other stakeholders for whom the work is being done? What if those receiving this unique value would be willing to offer generous recompense for it? What would these workplaces look like? How would they operate? How would they be reconciled with existing goals, principles and values? Could they operate at scale? If so, would the answers have implications for all organizations, not just software development?” Scaled Agile Framework: SAFe https://www.scaledagileframework.com/what-is-safe/ Scaled Agile Framework®, also known as SAFe® , is an enterprise-scale development methodology, developed by Scaled Agile, Inc. SAFe combines Lean and Agile principles within a templated framework.
- Businesses need to accelerate the delivery of applications Focuses on quickly moving new features out to the customers Not about specific tools, but improves adoption Bringing teams together, agile on steroids Organized not from a project delivery standpoint, but have a more product delivery focus Give Dev teams capability to deploy and the responsibility to support code in production Tear down the traditional silos of IT, namely between development and operations Aims at removing bottlenecks, conflicts, and risk from the lifecycle between business decision and customer outcome The 2015 Puppet Labs State of DevOps Report shows organizations achieving 200x increase in speed from code commit to deploy 30x more frequent deployments 60% fewer production failures Bank of America cites 6x reduction in production defects Ticketmaster Reduced their Mean Time to Repair by 90% Businesses are looking to accelerate the delivery of production quality software with fewer defects, and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common especially on cloud-based platforms. Adding security testing into the DevOps pipeline can help address the needs of regulated, compliance and public sector focused organizations. This white paper describes the use of open source technologies and commercial packages to design and deploy a Secure DevOps pipeline. Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others provide a robust SecDevOps implementation. Since the first DevOps Days conference was held in 2009, adoption of DevOps strategies has been growing rapidly, with 25% of global IT companies predicted to have moved towards DevOps by 2016 (Gartner, 2015). The very definition of DevOps is still evolving, but most agree it encompasses a set of cultural values in addition to the tools and practices that enable continuous delivery (Loukides, 2015). Continuous delivery provides a competitive advantage to software companies (Humble, 2014) by lowering the risk and cost associated with releases. It also enables near-immediate feedback on new features; practicing continuous delivery requires collaboration and empathy amongst the teams involved in the delivery process (Fowler, 2013). Configuration management systems automate the provisioning of new systems, enforcing consistent application installation, system and application configuration across classes of servers. The configuration information lives in a source code repository, and systems such as Chef, Puppet, Salt, or Ansible allow developers to treat the configuration of the servers that will run application software as code. This “infrastructure as code” can itself be versioned and tested, providing assurances that identical configurations will be in place everywhere, and improving the odds that software that tested fine in the staging system will be fine in production as well (Riley, 2014). Finally, an automated system for reliably moving software through the build -> deploy -> test -> release process is the key component (Humble & Farley, 2010) in any DevOps system. Continuous integration tools such as Jenkins make a formerly slow and error-prone task easy and repeatable, enabling the deployment of small changes and giving fast feedback about how the code operates and what customers think about new features. DevOps is becoming the preferred approach for the rapid development and continuous delivery of these new IT-enabled capabilities. Implemented correctly, DevOps offers IT organizations improved speed of development by embracing a collaborative philosophy that tears down traditional silos of development and operations. However, in most cases, security and compliance have been afterthoughts to DevOps.
- Why Criminals & hackers focus on weakness Leads to breaches A part of your security strategy Constantly Evaluate Business Risks Federal, State, Local, Regulatory Challenges Believed too costly Split between Functionality and Speed Private / Behind a firewall Find and Fix Tools and Resources Considerations Risk Assessments Policy – Procedures – Processes Regulatory – PCI, HIPAA, FISMA Physical Infrastructure Methodology Data Strategy Mapping, Collection, Storage, Cleaning Decommissioning and Retention Threat Modeling Testing
- CI: Frequent Code Check-ins Focus on Code Quality Automated Tests Find & Fix Bugs/Issues Soon CD Begin each software development project by first creating the supporting CI pipeline to ensure that the necessary resources are in place before development begins. Begin the process of building your CI pipeline by specifying the desired outcomes to be achieved and the required artifacts to be generated. Next, assess and document your current build process and infrastructure. Use the first two steps to redesign your process to ensure that the CI pipeline delivers the necessary results. Establish baseline metrics — such as frequency and execution time of application builds, build and deployment failures, and repeated errors — before integrating each application, and monitor those metrics throughout the application life cycle. Use the baseline metrics to evaluate the success of each change, and adapt when changes to the process don't deliver the expected benefits. Choose an application with established (but not yet automated) build and deployment processes as your pilot. As the process matures, expand the process to other applications that are supported by your development organization. Challenges audit of a security program relative immaturity and lack of corporate backing Tools new to the market or are open-sourced reliance on IaaS and PaaS reduces control and visibility at the hardware and network layer the flexibility of Cloud providers to quickly scale up and down Make them attractive in DevOps environments The CI/CD or DevOps Security lifecycle begins with code development and integration. As the code is committed for deployment, the CI/CD security processes are activated. Common action items including static code analysis, vulnerability scanning, anti-virus scans and other similar integrity functions. The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization. In order to comply with NIST requirements for applying secure engineering principles, application developers should utilize code analysis utilities to ensure safe coding practices are followed. Project teams should leverage code analysis utilities as early as possible in the development lifecycle. the project will experience fewer delays and incidents of rework due to flaws and other security concerns At a minimum, code analysis should be performed as code modules are completed, but it is not necessary for modules to be completely finished for code review to be useful. Commit Code to CI/CD s application code is committed to the CI/CD branch in the git repository CI/CD performs a security review utilizing automated static code analysis tools.
- Compliant Architecture Identify compliance & requirements first Select eligible services through trusted sources and suppliers Create cloud-native solution architecture Continuous Monitoring and Management Implement tools for governance, security and cloud operations Define processes and assign roles Define artifacts and operate against SLA’s Accreditations and Authorization Document system security plan Create security backlog in plan of actions and milestones Incident response plan
- Use of reusable libraries and frameworks This leads to a shift in focus for security scanning Majority risk can be addressed by identifying known vulnerabilities & misconfiguration Vulnerability assessment vendors are adapting their scanning capabilities Some toolchain element vendors like Docker are integrating this capability The importance of this best practice cannot be understated Breach at Equifax may have had a root cause of a known vulnerability issue in Apache Struts, as stated by Equifax. Likewise OpenSSL's Heartbleed Open-source software (OSS) presents a unique challenge The developer may simply cut and paste source code
- Once hardened configurations for operating systems and application components are developed, DevOps deployment tools and configuration management services like Puppet, Chef, Ansible and Salt greatly simplify the process of rolling these out to all systems and keeping the configurations in sync over time Docker and other container technologies are increasingly popular methods for deploying applications in DevOps environments, due to advantages in portability, efficiency in resource sharing and speed of deployment Docker also offers some security advantages, in the form of increased isolation of applications, particularly in multiWtenant environments Docker images, however, cannot be patched and updated or have running configuration changed on the fly; updated software or secure configuration must be baked in as part of the image build and new containers Deployed leading to situations where multiple container versions of varying security may be running https://www.cisecurity.org/benchmark/docker/
- Continuous Vulnerability Assessment and Remediation Challenge: Keeping up with relentless pace of newly announced vulnerabilities however, the focus on automation, testing, and continuous monitoring in DevOps environments can be advantageous; the same systems that allow automated deployments of new application code via thorough unit and functional testing provide a strong foundation for testing new patches Deployment strategies for Blue Green deployments and A/B testing allow gradual rollout and immediate feedback regarding issues and changes in system behavior Security scans that happen as part of the deployment process provide verification that updates address known issues and reach all intended targets
- Trustwave Global Security Report Vulnerabilities were found in 98% of the applications scanned Data leakage, cross-site scripting, SQL injection and authorization, among others Security assessments - PenTesting CICD Tools Advantages Jenkins, Hudson and similar tools provide easy support via plugins Code review and for running static analysis as part of the pipeline These acceptance tests should be designed to complete quickly and can be run before new code is even deployed to the integration/staging environment Further security testing, such as tests of security related functionality, vulnerability scanning, and application security scans can then be run in parallel to other acceptance testing within the staging environment
- In the DevOps model everyone has the potential to administer systems and debug production issues, controlling administrative credentials becomes even more important In a continuous deployment, “infrastructure as code” environment, the code itself acts as a privileged user These credential “secrets” must be used by the orchestration systems Secrets Management systems aim to role based access control and auditability to the DevOps system Configuration management systems like Chef and Puppet provide their own solutions for protecting secrets stored within the infrastructure code using public key encryption Kack more advanced features such as role based controlled access to the secrets, or full featured support for rotating passwords and SSH keys Secrets management systems like Hashicorp’s Vault and Conjur’s SSH Management solution provide methods to automatically provision temporary access via one-time passwords or SSH keys and to enable SSH key rotation for service accounts.
- When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard. The OWASP Top 10 Project and similar publicly available guidelines are a great start.3 The training should include: How to build and maintain simple threat modeling scenarios (thinking like a bad guy) Input whitelisting, filtering and sanitization for user input and files SQL injection Cross-site scripting Cross-site request forgery Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Why not to embed keys or credentials in the application code or scripts The importance of patching How and why hackers will target admins for credential theft and how to avoid this Plugins Grep Plugin. Uses external GREPfiles to scan target files for simple patterns. PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues. JLint Plugin. Uses J-Lint to scan Java .class files for issues. antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues. FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues. Lint4J Plugin. Uses Lint4J to scan Java .class files for issues. Yasca plugins implement five (5) severity levels: 1 – Critical, 2–High, 3 – Warning, 4–Low, 5 – Informational SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info
- https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security-tools/ When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard. The OWASP Top 10 Project and similar publicly available guidelines are a great start.3 The training should include: How to build and maintain simple threat modeling scenarios (thinking like a bad guy) Input whitelisting, filtering and sanitization for user input and files SQL injection Cross-site scripting Cross-site request forgery Injection Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Why not to embed keys or credentials in the application code or scripts The importance of patching How and why hackers will target admins for credential theft and how to avoid this Plugins Grep Plugin. Uses external GREPfiles to scan target files for simple patterns. PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues. JLint Plugin. Uses J-Lint to scan Java .class files for issues. antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues. FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues. Lint4J Plugin. Uses Lint4J to scan Java .class files for issues. Yasca plugins implement five (5) severity levels: 1 – Critical, 2–High, 3 – Warning, 4–Low, 5 – Informational SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info
- Integrating security into DevOps to deliver "DevSecOps" requires changing mindsets, processes and technology Security and risk management leaders must adhere to the collaborative, agile nature of DevOps to be seamless and transparent in the development process, making the Sec in DevSecOps silent. If adopting a DevOPS framework, Information security must adapt to development processes and tools, not the other way around. But it doesn’t mean Organizations producing new applications and services using DevOps have the same responsibility to produce secure and compliant code as required by any other application. The success of the DevOps movement means that DevOps practices are being adopted by diverse organizations, from small startups to Fortune 500 companies. As the movement matures, security is no longer an afterthought and consensus is building about the right ways to integrate security best practices into the DevOps cultural and technical evolution. explosion in the numbers of tools available to help secure DevOps environments, from repository firewalls (Weeks, 2015) to new application scanners and security functional test infrastructures (DeVries, 2015), to new SSH Management solutions and the ability to scan Docker containers (Doran, 2015). DevOps philosophy and the typical microservices architecture is the freedom to choose the tools that are best for a particular culture and environment In a regulated environment, DevOps teams will need to involve security early in the process to ensure a smooth deployment for new features the opportunity for greater collaboration with security teams can only be a positive Step The glut of new security tools adapted for DevOps environments has the ability to provide new levels of visibility and automation for implementing security controls. Such new tools may not be fully mature, however, and may have flaws or lack features present in more established products. There is also a lack of precedent when it comes to using such tools for audit against security standards. As the shift towards DevOps continues, we can expect increased maturity for DevOps security tools and best practices that should make implementation of these important controls easier in the future. from a security perspective, this mindset can be advanced and has the potential to radically improve security by proactively "killing" workloads and replacing them with versions from a known good state