does devsecops really exist?

DoesDev’Sec’Ops ReallyExistAlexManly

WhoamI?

AlexManlyPrincipalDevOpsConsultantContino (UK)@apmanlyalex.manly@contino.io

ComplianceReport- Verizon

Outof10000companiesthatweresurveyed1in5werenon-complianttoregulation

Challenge– abilitykeepupwithamovingtarget.Requirementschangebyanaverageof18%overayear.

Non-compliantbreachedcompanies:45%- patchmanagementanddevelopmentsecurity72%- logmanagementandmonitoring73%- firewallconfiguration

Challenge- abilitytocontinuouslymonitortheirenvironmentsforchanges

© 2014 451 Research, LLC. www.451research.com

Cloud Computing Pain Points

Q. What are your top cloud computing-related pain points? Select up to three. n=163. Source: Cloud Computing – Wave 7 |

2% 2% 2% 2% 2%

2.5% 2.5%

3.1% 3% 3%

4% 4% 4%

4% 5% 5%

7% 7% 7%

7.4% 8%

9% 10%

11% 11%

12% 17%

31%

Business Continuity/Disaster RecoveryInteroperability

Lack of Provider CompetencePerception and Internal Resistance

StorageData Movement

GovernanceCapacity Planning/Management

Legacy ApplicationsTechnology Immaturity

ComplexityLimited Transparency and Management

Service-level ManagementLack of Standards

NetworkService Reliability/Availability

Contractual/Legal IssuesOrganizational Challenges

Vendor/Provider IssuesLack of Internal Process

ManagementInternal Resources/Expertise

Migration/IntegrationCompliance

Security of Data, Control of Data Locality, SovereigntyHuman Change Management

Pricing/Budget/CostSecurity

Other Pain Points Mentioned Automated Provisioning

Automation Billing/Chargeback/Show-back

Ease of Transfer Between Private and Public Cloud

Integration of Private and Public Cloud Lack of Control

Lack of Flexibility Licensing

Orchestration Performance

Platform/Provider Selection Support

Time to Deployment

Q. What are your top cloud computing-related pain points?Source: Cloud Computing –. www.451research.com

CloudPainPoints

SharedSecurityModel

ComplianceDrag

Emergingtechnologieschangingallthetime

Lackofresources

Accesstodataandsystems

Scaleoftheproblem

Movingtarget– Regulationfrequentlychanges

Reactiveratherthanproactive

Dragonvelocity

“Theproblemforthesecuritypersonwhoisusedtoturningaroundsecurityreviewsinamonthortwoweeksisthey'rejustbeingshovedoutofthegame.There'snowaywithhowInfosec iscurrentlyconfiguredthattheycankeepupwiththat.So,Infosecgetsallthecomplaintsaboutbeingmarginalizedandgettinginthewayofdoingwhatneedsgettingdone.”

GeneKim,formerCTOofTripwireAuthorof“ThePhoenixProject:ANovelAbout IT,DevOps”&“HelpingYourBusinessWin”

InfoSecEndsUpBeingMarginalised

If you think compliance is expensive,

try non-complianceFormer US Deputy Attorney General, Paul McNulty

HighVelocityIT

InfrastructureonDemand

DevOps

DevOps isaprimarymovementinthegrowingtrendto industrialize

ITservicedevelopmentandproduction.

IDCexpectsDevOps strategieswillincreasinglydominateenterpriseand

serviceproviderstrategies.

By2016,DevOpswillbeemployedby25%ofGlobal2000organizations.

DevOps technologieswillachieverevenueof$4Bby2018.

ConfigurationManagement

AutomateatScale

DesiredStateConfiguration

InfrastructureasCode

Efficient&Repeatable

CattlenotPets

AutomationandConvergentInfrastructure

MarkBurgess,creatorofCFEngineAuthorof“InSearchofCertainty”

“Asystem’sdesiredconfigurationstatecanbesaidtobedefinedbyfixedpoints.Mostconfigurationmanagementsystems(e.g.:CFEngine,Chef,Puppet,PowerShellDCS)arebasedonthisidea:theyprovidemeanstodeclarewhatmusthappeninsteadofrequiringimperativeworkflowsthatprescribewhatwedo.”

DrivingTowardsImmutableInfrastructures

“ThisiswhatIcalldisposablecomputing.Throwawayabrokenprocessratherthantrytofixit.Machinescanbemade

expendableaslongasthetotalsoftwareisdesignedforit.Notmuchofitistoday,butwe’regettingthere.Natureshowsthat

thisisagoodwayofscalingservices.”

MarkBurgess,creatorofCFEngineAuthorof“InSearchofCertainty”

•Programmaticallyprovisionandconfigurecomponents

•Treatitlikeanyothercodebase

•Reconstructbusinessfromcoderepository,databackup,andcomputeresources

InfrastructureasCode

Security&ComplianceImplications

Automateallthethings…

Architecture

Conways Law– It’stheLaw

MonolithsSOAMicroservices

Designfor

Deployability

Testability

Operationability

Changability– Evolveyourarchitecture

Cloud

• SecurityasCode- SoftwaredefinedSecurity

• Embedsecuritytestsintothepipeline

• Testsecurityearly

Dev’Sec’Ops

ShiftSecurityLeft

ContinuousSecurity

SecurityPosture

End-to-endVisibility

ContinuousDetection/Prevention

AutomatedConfigurationandScaling

Remediation&Fast

Resolution

DisasterRecoveryandBusinessContinuity

Audit&Compliance

Buildsecurebaseimages thatarerepresentativeofyourinfrastructuresystembase

Designfilesystemlayouttoseparatecodefromdata,and

lockdowntominimumrequiredpermissions.Shouldexpandto

networkaswell

LeverageSANSChecklistandCISBenchmarkresourcesforsystemlevelsecuritybestpracticesandguidance

Leverageconfigurationmanagementtoolsto

standardizedall softwareversionsandconfigurations

DesignSecureImmutableInfrastructure

PreventAttackswithImmutable

ManageVulnerabilitieswithBaseImages

Manage Vulnerabilities• Conduct normal vulnerability scanning• Identify Vulnerabilities that exist in Base Images

versus Application specific packages• Remediate at appropriate level as part of Continuous

Delivery process• Start with Hardened “secure by default” base

Results• Less work, done more reliably• Patching fits naturally into Phoenix Upgrades• Continuous Delivery allow frequent scanning in test

environments to have real value• Fixes potential vulnerabilities systematically

Embrace Phoenix Upgrades• Stand up new instances, don’t upgrade• Route traffic between old and new instances• Rich service metrics and automate rollback• Advanced routing can enable selective rollout

Results• Creates evergreen systems, avoiding configuration drift and technical debt

• Enforces refresh of all system components as complete artifact, tested as a holistic system

• Greatly reduces security risks when combine with immutable instances and configuration management

AdoptPhoenixUpgradeStrategy

Thisexamplewillidentifyanycodethattriestomountdiskvolumes.Ifcodeisidentified,itwillbeauditedandthenworkflowcancontroltheactionofthisdeviationtostandards.

Example- StaticCodeAnalysis

Example– PCICompliance

PCI2.3 - Encryptallnon-consoleadministrativeaccesssuchasbrowser/Web-basedmanagementtools.

rules ’PCI 2.3 – Confirm telnet port not available'rule on run_controlwhen

name = 'should be listening'resource_type = 'port'resource_name = '23'status != 'success'

thenaudit:error("PCI 2.3 - Encrypt all non-console

administrative access such as browser/Web-based management tools.")

notify("security-team@financialcorp.com", "A machine is listening for connections on port 23/telnet!")

endend

RuleControlcontrols 'port compliance' do

control port(23) doit "has nothing listening"expect(port(23)).to_not

be_listeningend

endend

Example– SOXCompliance

SOXSection302.4.B– Establishverifiablecontrolstotrackdataaccess.

rules 'force key based auth'rule on run_controlwhen

name = 'is disabled'resource_type = 'File'resource_name = '/etc/ssh/sshd_config'status = 'failed'

thenaudit:error("SOX Section 302.4.B – Establish

verifiable controls to track data access.")notify(‘security-team@financialcorp.com’, "A

machine has password login enabled!")end

end

RuleControlcontrols 'password authentication' do

control file('/etc/ssh/sshd_config') doit "is disabled”

expect(file('/etc/ssh/sshd_config')).to_notmatch(/^\s*PasswordAuthentication\s+yes/i)

endend

end

WeCanHelp

Wehelpourclientsadoptamoderncomposable stackoftechnologies

Microservices

ConfigurationManagement&InfrastructureAutomation

ContainerTechnology

CloudInfrastructureWeareDocker PremierPartners

Contino helpstotransformthesoftwaredevelopmentfactoryOrganisations havetomodernise theirwaysofworking, theirinfrastructureandtheirapplicationsdeliverypipelines topreventindustrydisruption andmovetoafasterandleanerITmodel.

OLDWORLDARCHITECTURE:Complexinterconnectedlegacysystems

DELIVERYMODEL:Big,risky,infrequent,heavyweightsoftwarereleases

ORGANISATIONALSTRUCTURE:Siloed organisationalstructures

INFRASTRUCTURE:TraditionalphysicalorvirtualisedinfrastructureprovisionedbyIToperations

PRIORITIES:Efficient,predictable,risk-averseITengine

NEWWORLD:ARCHITECTURE:Looselycoupledmicroservicearchitectures

DELIVERYMODEL:Continualstreamofchangethroughcontinuous delivery

ORGANISATIONAL STRUCTURE:Crossfunctionalempoweredteams

INFRASTRUCTURE:Cloudbasedinfrastructureprovisionedbydevelopmentteams

PRIORITIES:Fast,agileandinnovativeITengine

OneOfUK’sTop3LargestRetailBanksAdoptingDockerContainerTechnologyRationalising developmenttoolchainIntroducingMoreAutomationIntoDeliveryPipelineAdvisingOnStrategyForGlobalTransformation

OneOfUK’sTop3LargestRetailersImplementingPublicCloud

ConfigurationManagingOnDemandEnvironments

InfrastructureAsCodeDefinition

Upskilling&TrainingGlobalEngineeringWorkforce

OneOfUK’sTop3LargestTelecomsProvidersIntegratingCloudBrokerAcrossPrivateandPublicCloud

ConfigurationManagingOnDemandEnvironments

ImprovingContinuous DeliveryPipelineandImprovingRigour OfSoftwareDevelopmentLifecycle

Organisations acrossindustriesneedtotransformtheirsoftwaredeliveryengines. Weareworkingwithmanyofthelargestenterprisebrandsacrossverticals.

Contino helptotransformthesoftwaredevelopmentfactory

Howwedrivetransformationandculturalchange

Culturalchangeemergesfrommanysmallsteps.Wehelp todeliveronkeywaysofworkingandtechnologymodernisation initiatives.....

Whilstalsohelping tocreateathrivingandmorevibranttechnology cultureaskeydeliverable.

Process

KeyITProcesses

KPIs

Agile&Lean

People

Organisational Design

Skills

Incentives

Technology

Infrastructure

Architecture

ApplicationDelivery

Whoweworkwith

Thanks!

www.contino.io

alex.manly@contino.io