DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Similar documents
DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

I keep hearing about DevOps What is it?

Strengthen and Scale security using DevSecOps

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

Logging, Monitoring, and Alerting

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Creating a Hybrid Gateway for API Traffic. Ed Julson API Platform Product Marketing TIBCO Software

DevOps Agility in the Evolving Cloud Services Landscape

THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES

Qualys Cloud Platform

Elizabeth Lawler CEO & Co-Founder Conjur,

Automating Security Practices for the DevOps Revolution

Development. Architecture QA. Operations

Securing Microservices Containerized Security in AWS

DevOps Course Content

NEXT GENERATION CLOUD SECURITY

DevOps Using VSTS and Azure

DevOps Tooling from AWS

Sunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS Mesosphere, Inc. All Rights Reserved.

Overcoming the Challenges of Automating Security in a DevOps Environment

How Can Testing Teams Play a Key Role in DevOps Adoption?

THE ART OF SECURING 100 PRODUCTS. Nir

Put Security Into Your DevOps NOW. Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018

Devops, Docker and Security. John

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Deep Dive on AWS CodeStar

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Course Overview This five-day course will provide participants with the key knowledge required to deploy and configure Microsoft Azure Stack.

The four forces of Cloud Native

Rethinking Product Security: Cloud Demands a New Way

Orchestrating the Continuous Delivery Process

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

Cloud Native Applications. 主讲人 :Capital One 首席工程师 Kevin Hoffman

Digital Renewable Ecosystem on Predix Platform from GE Renewable Energy

Deploying and Operating Cloud Native.NET apps

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Cloud Customer Architecture for Securing Workloads on Cloud Services

CLOUD WORKLOAD SECURITY

Securing Your Cloud Introduction Presentation

SIEMLESS THREAT DETECTION FOR AWS

Aspirin as a Service: Using the Cloud to Cure Security Headaches

Episerver Digital Experience Cloud Norge Thechforum 2017

Important DevOps Technologies (3+2+3days) for Deployment

Qualys Cloud Platform

Secure DevOps: A Puma s Tail

SUSE s vision for agile software development and deployment in the Software Defined Datacenter

INTRO TO AWS: SECURITY

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

Going cloud-native with Kubernetes and Pivotal

DevOps on AWS Deep Dive on Continuous Delivery and the AWS Developer Tools

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

Vulnerability Management

Weaving Security into Every Application

AGILE AND CONTINUOUS THREAT MODELS

Getting Started with AWS Security

An SDLC for the DevSecOps Era Or SecDevOps, or DevOpsSec,

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Security & Compliance in the AWS Cloud. Amazon Web Services

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Security Architecture

Docker at Lyft Speeding up development Matthew #dockercon

CONTINUOUS DELIVERY IN THE ORACLE CLOUD

SoftLayer Security and Compliance:

Taking Control of Your Application Security

Docker and HPE Accelerate Digital Transformation to Enable Hybrid IT. Steven Follis Solutions Engineer Docker Inc.

20537A: Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

Cloud Essentials for Architects using OpenStack

OFFICE 365 GOVERNANCE: Top FAQ s & Best Practices. Internal Audit, Risk, Business & Technology Consulting

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Continuous Integration and Delivery with Spinnaker

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

A10 HARMONY CONTROLLER

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

70-532: Developing Microsoft Azure Solutions

CWIN CAPGEMINI WEEK OF INNOVATION NETWORKS. Re-platforming and Cloud Journey. Fausto Pasqualetti, Milano, 25 Settembre 2018

Twilio cloud communications SECURITY

Microservices on AWS. Matthias Jung, Solutions Architect AWS

MODERNIZING TRADITIONAL SECURITY:

Practical Guide to Platform as a Service.

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Enabling Cloud Adoption. Addressing the challenges of multi-cloud

Application Security at Scale

DOS AND DON'TS OF DEVSECOPS

Robots with Pentest Recipes:

Cloud & AWS Essentials Agenda. Introduction What is the cloud? DevOps approach Basic AWS overview. VPC EC2 and EBS S3 RDS.

Continuous Delivery for Cloud Native Applications

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

THE EMERGING PRODUCT SECURITY LEADER DISCIPLINE

Red Hat Roadmap for Containers and DevOps

70-532: Developing Microsoft Azure Solutions

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

Roles. Ecosystem Flow of Information between Roles Accountability

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Transcription:

DevOps Anti-Patterns Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! 31

Anti-Pattern: Throw it Over the Wall Development Operations 32

Anti-Pattern: DevOps Team Silo Development DevOps Operations 33

Anti-Pattern: NoOps Approach Development Operations Dev Ops 34

Anti-Pattern: Ops Will Handle it Development Operations Dev Ops 35

Anti-Pattern: Ops Will Handle it 36

Development and Operations Collaboration Development Operations 37

Dev and Ops Fully Shared Responsibilities Development Operations 38

DevOps-as-a-Service Development Operations DevOps 39

Process Collaboration Across Teams Cross-Training Support Business Agility Breaking Down Silos Automation of Repetitive Tasks Everything as Code Test, Measure, and Monitor People Tools 40

We want to turn this 41

Into this! 42

DevSecOps is the process of incorporating and enforcing meaningful security controls without slowing down deployment velocity. COPYRIGHT 2018 MANICODE SECURITY 43

Enabling DevSecOps Through People 44

Break Down the Silos 45

Build a Team Beyond Yourself 46

Be Approachable 47

Train Others 48

Radical Transparency 49

Communication and Collaboration Critical piece to the DevOps puzzle A culture of trust and empowerment makes for a healthy workplace Move towards shipping software faster and more confidently Embrace cross-team communication and training Feedback available from each step of the pipeline Security is a great fit in modern DevOps cultures 50

Case Study: The Two Pizza Team 51

Enabling DevSecOps Through Process 52

DevSecOps Pipelines 53

DevOps Processes Automate building the dev and production environment Automate software testing (including security) Automate deploying software and services Automate monitoring and alerting Tune your tools to become more automated and handsoff Build the pipeline slowly and don t fear failure! Be careful with sensitive areas which are difficult to automate (access control, biz logic, complex actions) 54

55

Key Goals of DevSecOps Pipelines Optimize the critical resource: Security personnel Automate things that don t require a human brain Drive up consistency Increase tracking of work status Increase flow through the system Increase visibility and metrics Reduce any dev team friction with application security COPYRIGHT 2018 MANICODE SECURITY

Pipeline Security Continuous Integration Continuous Deployment Production Automated test suite Infrastructure QA Testing (performance, load, etc.) Post-deploy checks Code Committed Repository Build Automation IaaS, PaaS, On-Prem, etc. Peer review Configuration management, artifact creation, db migrations, etc. Monitoring and alerting 57

Development (Pre-Commit) Code Committed Developer laptops are the first line of defense in a DevSecOps pipeline Moving security to the left prevents costly mistakes and vulnerabilities later Required Git pre-commit hooks can offer a simple, effective feedback loop Static analysis scans in the IDE Peer review from security engineers Lightweight, threat modeling in sensitive areas 58

Git-Secrets https://github.com/awslabs/git-secrets 59

Brakeman Static Scanning (Git Pre-Commit Hook) 60

Continuous Integration (Commit Stage) Automated test suite Repository Peer review Basic automated testing is performed after a commit is made Must be quick and offer instant feedback Key place to include security checks that run in parallel with integration tests, unit tests, etc. Identify risk in third-party components Incremental static security scanning Alerting on changes to high-risk areas Digital signatures for binaries 61

Continuous Integration (Commit Stage) CI server may include a dedicated security worker Third-party dependency checking performed in CI OWASP Dependency Check Node Security Project Bundler-Audit SRC:CLR Custom alerts set on repositories and sent to on-call security teams Is someone changing pw hashing algorithm? Is a new password policy enabled? 62

Continuous Deployment (Acceptance) Infrastructure QA Testing (performance, load, etc.) Build Automation Configuration management, artifact creation, db migrations, etc. Triggered by successful commit and passing build Utilize parallel, out-of-band processes for heavyweight security tasks IaaS and Config Management should provision latest, known-good environment state (as close to production as possible) Security checks during acceptance: Comprehensive fuzzing Dynamic Scanning (DAST) Deep static analysis Manual security testing 63

Continuous Deployment (Acceptance) Zap Baseline scan incorporated into CI stage of the deployment pipeline Runs a basic scan scan from a simple Docker run command By default will output all results of passive scan rules Highly configurable but still struggles in certain areas https://github.com/zaproxy/community-scripts/tree/master/api/mass-baseline 64

Production (Post-Deployment) Post-deploy checks IaaS, PaaS, On-Prem, etc. After all security checks have passed and deployment is complete Security teams job does not stop here: Monitoring and Alerting Runtime Defense (RASP) Red Teaming Bug Bounties External Assessments Web Application Firewalls Vulnerability Management 65

Enabling DevSecOps Through Technology 66

Where are we going? Infrastructure as a Service Secrets Storage Logging and Monitoring Containers and Microservices 67

Infrastructure-as-a-Service (IaaS) Delivery of a complete computing foundation Servers (virtualized, physical, or serverless ) Network Storage Infrastructure is exposed to operators using a service Programming network and infrastructure through APIs vs. buying and building physical hardware Can be operated by a third-party, hosted in-house (K8s), or a hybrid model 68

Infrastructure-as-a-Service Managed by Ops Auto Scaling Amazon DynamoDB Amazon EC2 IaaS Provider Network Hardware Physical VM Hosts 69

IaaS Security Considerations The Cloud doesn t do security for you this is your responsibility Network and Data Security Auditing Capabilities Compliance Requirements SOC, PCI, HIPAA, etc. Encryption Capabilities Third-Party Certificates and Audits Secrets Storage, Built-in Security Features, etc. 70

The Cloud Won t Protect You 71

Distributing Secrets Software systems often need access to a shared credential to operate: Database password Third-Party API key Microservices Secret management is full of opinions and could be a course itself Many options exist Choose your own adventure! 72

Commandments of Sane Secret Management Secrets should not be written to disk in cleartext Secrets should not be transmitted in cleartext Access to secrets should be recorded Operator access to secrets should be limited Access control to secrets should be granular Secrets distribution infrastructure should be mutually authenticated Secrets should be version-controlled 73

HashiCorp s Vault 74

Which is the most secure way to pass secrets to an app running in a container? 1. Pass secrets as an environment variable 2. Mount volume in container that has secrets in a file 3. Build the secrets into the container image 4. Query a Secrets API over your network 5. Other 75

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback