Devops, Docker and Security. John

Size: px

Start display at page:

Download "Devops, Docker and Security. John"

Shanna Wilkins
5 years ago
Views:

1 Devops, Docker and Security John

2 About Me One of the founding members of Devopsdays Co-author of the Devops Handbook. Author of the Introduction to Devops on Linux Foundation edx. Podcaster at devopscafe.org Devops Enterprise Summit - Cofounder Nine person in at Chef (VP of Customer Enablement) Formally Director of Devops at Dell Found of Socketplane (Acquired by Docker) 10 Startups over 25 years

5 What If I told you you could be 2000 times faster than your competitors 5

6 What if I told you that you could be 100 times more reliable than your competitors 6

7 What if you could have both 7

8 Faster, Effective, Reliable Devops (Faster) Immutable Docker (Effective) Supply Chain (Reliable) Service Delivery 8

9 Devops faster

10 DTO Solutions

11 Devops Taxonomies CAMS The Three Ways Culture Automation Measurement Sharing The First Way The Second Way The Third Way

Devops Practices and Patterns Continuous Delivery Everything in version control Small batch principle Trunk based deployments Manage flow (WIP)

12 Devops Practices and Patterns Continuous Delivery Everything in version control Small batch principle Trunk based deployments Manage flow (WIP) Automate everything Culture Everyone is responsible Done means released Stop the line when it breaks 12 Remove silos itrevolution.com/devops-handbook

Recent IT Performance Data is Compelling High performers compared to their peers 30x more frequent deployments 200x faster lead times 60x the change success rate 168x faster mean time to recover

13 Recent IT Performance Data is Compelling High performers compared to their peers 30x more frequent deployments 200x faster lead times 60x the change success rate 168x faster mean time to recover (MTTR) 2x 50% more likely to exceed profitability, market share & higher market capitalization growth over 3 years* productivity goals Data from 2014/2015 State of DevOps Report -

14 Recent IT Performance Data is Compelling High performers compared to their peers 30x more frequent deployments 2555x 200x faster lead times Faster 60x the change success rate 168x faster mean time to recover (MTTR) Higher Quality 2x 50% more likely to exceed profitability, market share & productivity goals higher market capitalization growth over 3 years* More Effective Data from 2014/2015 State of DevOps Report -

15 Conventional Wisdom Fast Pick Two! Good Cheap

16 Devops Automated Deployment Pipeline 16 Source: Wikipedia - Continuous Delivery

Devops Results Google Over 15,000 engineers in over 40 offices 4,000+ projects under active development 5500+

18 Devops Results Google Over 15,000 engineers in over 40 offices 4,000+ projects under active development code submissions per day (20+ p/m) Over 75M test cases run daily 50% of code changes monthly Single source tree 18

19 Devops Results Amazon 11.6 second mean time between deploys max deploys in a single hour. 10,000 mean number of hosts simultaneously receiving a deploy. 30,000 max number of hosts simultaneously receiving a deploy 19

20 Unicorns and Horses (Enterprises) Enterprise Unicorns 20 Shamelessly stolen and repurposed from: Pete Cheslock

21 Devops Results Enterprise Organizations Ticketmaster - 98% reduction in MTTR Nordstrom - 20% shorter Lead Time Target - Full Stack Deploy 3 months to minutes USAA - Release from 28 days to 7 days ING applications teams doing devops CSG - From 200 incidents per release to 18 21

22 Docker effective

23 IBM 360/370 (1960/1970) CHROOT - Version 7 Unix 1979 (Bell Labs) BSD in 1982 (Berkley) VMware (1998) FreeBSD Jails 2000 XEN 2003 History of Solaris Zones 2004 OpenVZ 2005 Amazon Web Services 2006 Namespaces 2007 Cgroups (Google) 2007 Virtualization KVM 2007 AIX LPARS (IBM) 2007 Drawbridge (2008) Hyper-V (2008) Linux Containers - LXC (Parelles, IBM, Google) 2008 Docker (Dotcloud Inc) 2013 Microsoft Docker on Windows Server 2016

24 Virtualization Type 1 Virtualization VMware ESX, XEN, Hyper-V Type 2 Virtualization KVM, Virtualbox, QEMU, VMware Workstation OS Level Virtualization OpenVZ, LXC, Docker

25 BodenRussell/realizinglinux-containerslxc

26 Why OS Level Virtualization Provision in milliseconds Near bare metal runtime performance VM-like agility it s still virtualization Lightweight Just enough Operating System (JeOS) Supported with modern Linux kernel Growing in popularity

28 Why Docker Isolation Lightweight Simplicity Workflow Security Community

29 Docker Security Enhancements Docker Security Scanning Docker Content Trust Docker Trusted Registry TLS by Default for Swarm/Docker Data Center Read Only Containers User Namespaces Secomp and LSMS support Enhanced System Capabilities support 29 Secrets Management Immutable Operating System (Coming Soon)

30 30 Immutable Delivery

31 31 Immutable Delivery

32 Supply Chain Reliable

33 33

House%ProducBon% 50%& 27%% 54%% 35 Plant%Suppliers% 16%&& 125% 800% Firm@Wide(Suppliers( 4%# 224(

35 Supply&chain&advantage& Toyota& Advantage& Toyota& Prius& Chevy& Volt& Unit%Retail%Price% 61%& $24,200% $39,900% Units%Sold/Month% 13x& 23,294% 1,788% In?House%ProducBon% 50%& 27%% 54%% 35 Plant%Suppliers% 16%&& 125% 800% 4%# 224( 5,500( Source:(Toyota(Supply(Chain( Management:(A(Strategic( Approach(to(Toyota s( Renowned(System,(by(Ananth( Iyer(and(Sridhar(Seshadri(

36 Use fewer, better suppliers Use their highest quality parts Track which parts you use & where

Toyota Production Systems - 4VL Variety Determine your variety of offerings based on operational efficiency and market demand Velocity Maintain a steady flow through all processes of the

37 Toyota Production Systems - 4VL Variety Determine your variety of offerings based on operational efficiency and market demand Velocity Maintain a steady flow through all processes of the supply chain Variability Manage inconsistencies carefully to reduce cost and improve quality Visibility 37 Ensure the transparency of all processes to enable continuous learning and improvement

38 Docker and the Three Ways of Devops 38

39 Immutable Service Delivery (4VL) Variety Learn faster, Limited frameworks, Limited operating systems, Limit vendors. Velocity Small Batch, Small Teams, Microservices and Containers Variability Docker and Immutable Delivery Use fewer, better suppliers Use their highest quality parts Track which parts you use & where Visibility Automated Testing, Docker Trust, 39 Docker Security Scanning, Bounded Context, Bill of Materials

40 Software Supply Chain - 4VL Visibility - Docker - Bill of Material 40 Where and when was it built and why What was its ancestor images How do I start, validate, monitor and update it What git repo is being built, what hash of that git repo was built What are all the tags this specific container is known as at time of build What s the project name this belongs to Have the ability to have arbitrary user supplied rich metadata

41 Devops Automated Deployment Pipeline 41 Source: Wikipedia - Continuous Delivery

42 DevSecOps Preventative Detective Requirements & Design Development CI Interval Trigger Assessment Production Application Risk Classification Security Requirement Definition Static Analysis/IDE Secure Libraries SCM Static Analysis (CI) Open Source Governance(CI) Dynamic Assessments Threat-Based Pen Test Perimeter Assessment Web Application Firewalls Automated Attack/ Bot Defense Threat modeling Secure Coding Standards Container Security Compliance (CI) Container Security Management Security Mavens (Security-Trained Developers and Operations) Lightweight threat modeling approach Role Based Software Security Training Continuous Monitoring, Analytics and KPI Gathering Detailed manual assessments triggered automatically at appropriate interval; detached from release cycle

43 Immutable Service Delivery Fortune 500 Insurance Company Tracks critical and high security defect rate per 10k lines of code Started out with (10/10k) After applying Devops practices and principles (4/10k) After applying Toyota Supply Chain 4VL (1/10k ) After Docker with Immutable Delivery (0.1/10k) 43

44 With Docker Fortune 500 Insurance Company One Service One Container One Read Only File System One Port 44

45 Immutable Service Delivery Devops (Faster) Docker (Effective) 2000x Faster and 100x Reliable Supply Chain (Reliable) 45

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training ISLET: An Attempt to Improve Linux-based Software Training Jon Schipp, AIDE 2015 jonschipp@gmail.com, @Jonschipp, jonschipp.com About me: Security Engineer for the National Center for Supercomputing Applications