SlideShare a Scribd company logo
Application Security
automation with
DevOps tools and clouds
OWASP Kyiv 2017
Agenda
• Problematics
• SecOps vs Pentester needs
• HW VM vs Container
• How to select the tool
• Docker as universal solution
• Security of “Citadel”
• Conclusion
• Practice demonstration
Problematics
• Administration routine
• Inventory
• Configuration management
• Backup and recovery
• Classic enterprise or qualified team?
• Auditor probes of server configs:)
SecOps vs Pentester needs
SecOps Pentester Admins
Scanners
Permanent with ticketing
service!
Temporary and scalable
One more scan — one
more damage:)
Monitoring Fullest
Terminal bells can be
enough:)
Zabbix our ALL
Backups
Full with strong plan and
copies
Evidences for report Sometimes we need it
Data encryption
Secured by vendor and
checked by auditor
Always if responsible for
customer security
Once more that keys
entering…%(
Cloud&
Virtualization
Own DC is preferred Ideal surround
Automation NO, Enterprise…
Any deployment with
tools and scripts
It’s for DevOps:)
But automation is your time! For recovery, incident response, project time
and money.
HW VM vs Container
VM Container
Perfomance More resources are taken for each
VM
Sharing single kernel resources
Management Need additional mgmt systems Simple scripting
Provisioning OpenStack, … Native swarm, kubernetes
Automation Different for each VM Can be done by Host machines
Select depending on tasks and plans!
How to select the tool
Chef and Puppet are oldest, more established options, making them good for larger enterprises
and environments that value maturity and stability over simplicity.
Ansible and SaltStack are good options for those looking for fast and simple solutions while
working in environments that don’t need support for quirky features or lots of OSs.
If RedHat only distributions good option is Spacewalk
Chef Puppet SaltStack Ansible
Architecture Client/Server Client/Server
Client/Server
Client mode
Client Only
Parallelization Full Full Partial One-by-one
Licensing Fully paid
Open
Paid Enterprise
Open
Paid Enterprise
Open
Paid Tower
Container
support
Native docker
module
Docker by
external module
Native docker
module
Native docker
module
Cloud
support
Full in
Enterprise
Full in
Enterprise
Full Full
SaltStack vs Ansible
SaltStack Ansible
Architecture
salt-master(servers)/salt-minion(clients)
over own TCP connection
SSH access only from
anywhere(configured host) to servers
Speed Fast paralilysed execution
Very slow for big scopes: server by server
execution
Code
structure
Mostly general modules for any platform
(better tested and included on client side)
Exact modules for each feature/platform
(execution of imported code — more fails)
Orchestration
More featured and have monitoring:
events&reactors — responses on minion
events
Very simple structuring of roles and
playbooks
Security
Use TCP connections with own AES protocol
using PyCrypto package
Flexible SSH configuration and more
tested protocol
Sensitive data Secured master machine
Secured admin’s or dedicated VM
mashine
Deployment
Complex server deployment but very
scalable and distributed
Very simple installation, update, scaling
and migration
Docker as universal solution
• Implement docker-engine at any cloud provider
• HW&Security limitation now out-the-box
• Kali on AWS?:) — import-export your container anywhere
• Scanner limits — scale anywhere your own or pulled
containers (Sn1per for recon for example)
• Manage docker hosts&containers with saltstack or
ansible
• Need visualization — try kubernetes
Main docker features
• Rapid application deployment – containers include the minimal runtime requirements
of the application, reducing their size and allowing them to be deployed quickly.
• Portability across machines – an application and all its dependencies can be bundled
into a single container that is independent from the host version of Linux kernel,
platform distribution, or deployment model. This container can be transfered to
another machine that runs Docker, and executed there without compatibility issues.
• Version control and component reuse – you can track successive versions of a
container, inspect differences, or roll-back to previous versions. Containers reuse
components from the preceding layers, which makes them noticeably lightweight.
• Sharing – you can use a remote repository to share your container with others. And it
is also possible to configure your own private repository.
• Lightweight footprint and minimal overhead – Docker images are typically very
small, which facilitates rapid delivery and reduces the time to deploy new
application containers.
• Simplified maintenance – Docker reduces effort and risk of problems with application
dependencies.
• Security&resource limitations – Docker has flexible features of security and HW
resources limitations and network segmentation.
Security of “Citadel”
• FDE as must (LUKS for key container at least)
• Security monitoring (ossec+ELK or Splunk)
• No ssh passwords — key access only
• ACL limitation or VPN
• ansible-vault and salt shadow.set_password
Conclusion
• DevOps is not only the next level of admins —
it’s strong solution for any IT&Dev&Security

More Related Content

More from OWASP Kyiv

Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
OWASP Kyiv
 
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv
 
Ivan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
OWASP Kyiv
 
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL PinningDima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
OWASP Kyiv
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv
 
Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
OWASP Kyiv
 
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv
 
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
OWASP Kyiv
 
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
OWASP Kyiv
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
OWASP Kyiv
 
Vlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
OWASP Kyiv
 
Volodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv
 
Ihor Bliumental - Collision CORS
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
OWASP Kyiv
 
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
OWASP Kyiv
 
Ihor Bliumental – Is There Life Outside OWASP Top-10
Ihor Bliumental – Is There Life Outside OWASP Top-10Ihor Bliumental – Is There Life Outside OWASP Top-10
Ihor Bliumental – Is There Life Outside OWASP Top-10
OWASP Kyiv
 
Roman Rott – Ruby for Pentesters
Roman Rott – Ruby for PentestersRoman Rott – Ruby for Pentesters
Roman Rott – Ruby for Pentesters
OWASP Kyiv
 

More from OWASP Kyiv (18)

Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
 
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
 
Ivan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
 
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL PinningDima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
 
Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
 
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
 
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
 
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
 
Vlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
 
Volodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
 
Ihor Bliumental - Collision CORS
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
 
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
 
Ihor Bliumental – Is There Life Outside OWASP Top-10
Ihor Bliumental – Is There Life Outside OWASP Top-10Ihor Bliumental – Is There Life Outside OWASP Top-10
Ihor Bliumental – Is There Life Outside OWASP Top-10
 
Roman Rott – Ruby for Pentesters
Roman Rott – Ruby for PentestersRoman Rott – Ruby for Pentesters
Roman Rott – Ruby for Pentesters
 

Recently uploaded

(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
Axel Rennoch
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
LINUS PROJECTS (INDIA)
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 

Recently uploaded (20)

(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 

Taras Bobalo – Application Security Automation with DevOps Tools and Clouds

  • 1. Application Security automation with DevOps tools and clouds OWASP Kyiv 2017
  • 2. Agenda • Problematics • SecOps vs Pentester needs • HW VM vs Container • How to select the tool • Docker as universal solution • Security of “Citadel” • Conclusion • Practice demonstration
  • 3. Problematics • Administration routine • Inventory • Configuration management • Backup and recovery • Classic enterprise or qualified team? • Auditor probes of server configs:)
  • 4. SecOps vs Pentester needs SecOps Pentester Admins Scanners Permanent with ticketing service! Temporary and scalable One more scan — one more damage:) Monitoring Fullest Terminal bells can be enough:) Zabbix our ALL Backups Full with strong plan and copies Evidences for report Sometimes we need it Data encryption Secured by vendor and checked by auditor Always if responsible for customer security Once more that keys entering…%( Cloud& Virtualization Own DC is preferred Ideal surround Automation NO, Enterprise… Any deployment with tools and scripts It’s for DevOps:) But automation is your time! For recovery, incident response, project time and money.
  • 5. HW VM vs Container VM Container Perfomance More resources are taken for each VM Sharing single kernel resources Management Need additional mgmt systems Simple scripting Provisioning OpenStack, … Native swarm, kubernetes Automation Different for each VM Can be done by Host machines Select depending on tasks and plans!
  • 6. How to select the tool Chef and Puppet are oldest, more established options, making them good for larger enterprises and environments that value maturity and stability over simplicity. Ansible and SaltStack are good options for those looking for fast and simple solutions while working in environments that don’t need support for quirky features or lots of OSs. If RedHat only distributions good option is Spacewalk Chef Puppet SaltStack Ansible Architecture Client/Server Client/Server Client/Server Client mode Client Only Parallelization Full Full Partial One-by-one Licensing Fully paid Open Paid Enterprise Open Paid Enterprise Open Paid Tower Container support Native docker module Docker by external module Native docker module Native docker module Cloud support Full in Enterprise Full in Enterprise Full Full
  • 7. SaltStack vs Ansible SaltStack Ansible Architecture salt-master(servers)/salt-minion(clients) over own TCP connection SSH access only from anywhere(configured host) to servers Speed Fast paralilysed execution Very slow for big scopes: server by server execution Code structure Mostly general modules for any platform (better tested and included on client side) Exact modules for each feature/platform (execution of imported code — more fails) Orchestration More featured and have monitoring: events&reactors — responses on minion events Very simple structuring of roles and playbooks Security Use TCP connections with own AES protocol using PyCrypto package Flexible SSH configuration and more tested protocol Sensitive data Secured master machine Secured admin’s or dedicated VM mashine Deployment Complex server deployment but very scalable and distributed Very simple installation, update, scaling and migration
  • 8. Docker as universal solution • Implement docker-engine at any cloud provider • HW&Security limitation now out-the-box • Kali on AWS?:) — import-export your container anywhere • Scanner limits — scale anywhere your own or pulled containers (Sn1per for recon for example) • Manage docker hosts&containers with saltstack or ansible • Need visualization — try kubernetes
  • 9. Main docker features • Rapid application deployment – containers include the minimal runtime requirements of the application, reducing their size and allowing them to be deployed quickly. • Portability across machines – an application and all its dependencies can be bundled into a single container that is independent from the host version of Linux kernel, platform distribution, or deployment model. This container can be transfered to another machine that runs Docker, and executed there without compatibility issues. • Version control and component reuse – you can track successive versions of a container, inspect differences, or roll-back to previous versions. Containers reuse components from the preceding layers, which makes them noticeably lightweight. • Sharing – you can use a remote repository to share your container with others. And it is also possible to configure your own private repository. • Lightweight footprint and minimal overhead – Docker images are typically very small, which facilitates rapid delivery and reduces the time to deploy new application containers. • Simplified maintenance – Docker reduces effort and risk of problems with application dependencies. • Security&resource limitations – Docker has flexible features of security and HW resources limitations and network segmentation.
  • 10. Security of “Citadel” • FDE as must (LUKS for key container at least) • Security monitoring (ossec+ELK or Splunk) • No ssh passwords — key access only • ACL limitation or VPN • ansible-vault and salt shadow.set_password
  • 11. Conclusion • DevOps is not only the next level of admins — it’s strong solution for any IT&Dev&Security