Safety and Speed How Tenable Runs Swift and Sure in a DevOps World

Similar documents
Automating Security Practices for the DevOps Revolution

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

DevOps Tooling from AWS

Vulnerability Management

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Unify DevOps and SecOps: Security Without Friction

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

In This Webinar. ConEnuous Load TesEng & ConEnuous Delivery with Jenkins

THE ART OF SECURING 100 PRODUCTS. Nir

CLOUD WORKLOAD SECURITY

NEXT GENERATION CLOUD SECURITY

Elizabeth Lawler CEO & Co-Founder Conjur,

Development. Architecture QA. Operations

Sunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS Mesosphere, Inc. All Rights Reserved.

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

ebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

DevOps Made Easy. Shireesh Thanneru, Platform Architect. Intel. Linoy Alexander, Director, DevOps

Implementing and maintaining a DevSecOps approach in the cloud George Gerchow - VP of Security &

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Overcoming the Challenges of Automating Security in a DevOps Environment

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Eyes Everywhere: Monitoring Today's Borderless Landscape

Rethinking Product Security: Cloud Demands a New Way

Security Automation Best Practices

Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1

I keep hearing about DevOps What is it?

TEN LAYERS OF CONTAINER SECURITY

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

next-generation datacenters

Containers & Microservices For Realists. Karthik

How to shift from compliance to proactive security

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

FROM VSTS TO AZURE DEVOPS

April Appendix 3. IA System Security. Sida 1 (8)

Deploy Early, Deploy Often, Deploy Safely Andy Lowe

Docker and Security. September 28, 2017 VASCAN Michael Irwin

Continuous Delivery for Cloud Native Applications

l e a n Lean Software Development software development Faster Better Cheaper

Nir Valtman & Moshe Ferber DEFCON #23

Docker CaaS. Sandor Klein VP EMEA

The Divine and Felonious Nature of Cyber Security

THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES

DevOps A How To for Agility with Security

TM DevOps Use Case. 2017TechMinfy All Rights Reserved

Container in Production : Openshift 구축사례로 이해하는 PaaS. Jongjin Lim Specialist Solution Architect, AppDev

CyberPosture Intelligence for Your Hybrid Infrastructure

Maximum Security with Minimum Impact : Going Beyond Next Gen

SANS AppSec AppSec what can you learn from small companies? What Works and What Doesn t

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Client Health Key Features Datasheet. Client Health Key Features Datasheet

Building an Effective Cloud Operating Model on AWS

Test Automation Strategies in Continuous Delivery. Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

THE REAL ROOT CAUSES OF BREACHES. Security and IT Pros at Odds Over AppSec

CATCH ERRORS BEFORE THEY HAPPEN. Lessons for a mature data governance practice

Take Your Oracle WebLogic Applications to The Next Level with Oracle Enterprise Manager 12c

THE EMERGING PRODUCT SECURITY LEADER DISCIPLINE

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

Security Precognition: Chaos Engineering in Incident Response

Lift and Shift, Don t Lift and Pray: Pragmatic Cloud Migration Strategies

SYMANTEC DATA CENTER SECURITY

About Us. Services CONSULTING OUTSOURCING TRAINING MENTORING STAFF AUGMENTATION 9/9/2016

Cloud Security Whitepaper

Going cloud-native with Kubernetes and Pivotal

CSV-W14 - BUILDING AND ADOPTING A CLOUD-NATIVE SECURITY PROGRAM

A U.S. based so,ware development and technical consul9ng company. Technical Capabilities Overview

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

DevOps Agility in the Evolving Cloud Services Landscape

Container Deployment and Security Best Practices

AWS Reference Design Document

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

Qualys Cloud Platform

Using Digital Rebar to Create Composable Infrastructure Operations for Site Reliability Engineers

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

CONTINUOUS DELIVERY WITH DC/OS AND JENKINS

Disruptive Technology

SECURITY-AS-A-SERVICE BUILT FOR AWS

Docker Live Hacking: From Raspberry Pi to Kubernetes

Strengthen and Scale security using DevSecOps

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

About NitroSecurity. Application Data Monitor. Log Mgmt Database Monitor SIEM IDS / IPS. NitroEDB

Datacenter Security: Protection Beyond OS LifeCycle

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Accelerating Software Delivery with the AWS Developer Tools. Pradyumna Dash Solutions Architect, UK Public Sector

From development to production

DevOps and Continuous Delivery USE CASE

AUTOMATING SECDEVOPS WORKSHOP

Automate the Lifecycle of IT

Getting Started with AWS Security

Visual Studio Team Services

ContainerOps - DevOps Orchestration. Quanyi Ma

Transcription:

SESSION ID: GPS-F02B Safety and Speed How Tenable Runs Swift and Sure in a DevOps World Dave Cole Chief Product Officer Tenable @mediafishy

Agenda The Problem Hypothesis What We Did Results Key Takeaways 2

The Problem

1. Playing catch-up Many advantages for building new platform w/ the latest tech Better scaling Responsiveness Flexibility Increased development velocity Easier integration 4

1. Playing catch-up (cont.) New platforms benefit from all your learnings, but they don t inherit all of your work the old features often times, have to be re-created. Unless you delay launching until you have everything, you re under time pressure from day 1. Speed is crucial. 5

2. Speed, the natural adversary of safety The faster you go, the harder it is to control the outcome Especially true for security where even small lapses can introduce serious vulnerabilities People are often skeptical of new platforms, let alone new vulnerability management platforms with vulnerabilities! 6

3. Classic approach irrelevant The new platform is based on Docker containers housing purpose-built micro services Using an agile approach with continuous integration & delivery (CI/CD), we can frequently update the platform 7

3. Classic approach irrelevant (cont.) Containers are shortlived, average of 2.5 days. Scans in production would be out of date before you act on them & patching makes little sense. 8

3. Classic approach irrelevant (cont.) What about an agent in the container? Still a slow scan & fix model. & heavy container may not possess an OS, why would it have an agent? 9

Hypothesis

Hypothesis Security has to become part of the natural flow of the development pipeline for safe CI/CD. To minimize the # of issues even an integrated assessment can handle, security must be baked in to a disciplined design phase Developers must be accountable for the security of their own code & a dedicated person on their own team to help them. 11

What We Did

Container Hardening Start from known good Docker base containers are hardened & actively maintained by the Ops team Declared Ports on Container Images additional ports are runtime are not accessible, blocked Healthy, Normal Compromised, Add l Port Open Declared Ports Only; Blocked 13

Platform Hardening Configuration details loaded as a stream from a service at startup instead of being stored as files on running machines Least-Privilege SELinux Policies on Servers Least-Privilege IAM Roles Deletes not allowed in AWS (via global IAM policy) Deep Session Validation (JWT on Backend Services) 14

Designing for Safety & Speed Created an explicit design phase w/ team wide reviews Properly fund design with the right people & time Peer code reviews End to end change tracking, starting from design (Jira) through commit (Stash) and build (Bamboo) 15

Security: a natural part of the pipeline Source Control Build Registry Container Host Orchestration Build system integration (Bamboo) means container problems surface before production & in the same fashion as any other product defect Scanning for vulnerabilities, malware & compliance happens inside a private registry at check-in & periodically thereafter Nessus Agents used on the hosts themselves for periodic scanning 16

Making product security native Engineers must be accountable for their own code Accountability isn t enough, someone has to own product security and they can t sit in the IT group A strong ops team is essential, but they have more to do than security We hired a seasoned security professional (former consultant, CISO & Developer) who reports into the VP of Engineering as a Sr. Director, Product Security 17

Pit stop: slowing down to speed up Amidst looming deadlines & urgent projects, we stopped nearly all feature development for a 2 week sprint We planned it for about 2 months We used the time to improve tooling, increase automation coverage, training & more Then we went straight back at it w/ true CI/CD 18

Results

Results Month Before Month After Major Deployments/Releases Happier, more motivated engineers 96.2% increase in amount of unique tests 20% drop in customer support tickets 0 known escaped security issues Nice uptick in the # of releases 20

Key Takeaways Hardening as essential as ever for both containers & platform Safe CI/CD requires security pipeline integration 21

Key Takeaways Continued Developers need to own the quality of their own code, ops can own platform health, prod sec needs to be native Going fast, ironically requires going slower at the outset as you invest in process, integration & automation 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback