devsecops: taking a devops approach to security
TRANSCRIPT
![Page 1: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/1.jpg)
DevSecOps: Taking a DevOps Approach to Security
Alert Logic & Chef discuss overcoming security challenges in DevOps
![Page 2: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/2.jpg)
Before We Begin
Housekeeping
• Turn on your system’s sound to
hear the streaming presentation
• Questions? Submit them to the
presenter at anytime into the
question box
• The presentation slides will be
available to download from the
attachment tab after the webinar
• The webinar will be recorded
and published on BrightTalk
• Technical Problems? Click
“Help”
Agenda
• Security Challenges
• High Velocity IT
• Vulnerability Management
• Securing the Platform
• Continuous Monitoring
• Questions
![Page 3: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/3.jpg)
Speaker Introduction
James Brown • Director of Cloud Computing &
Security Architecture
• Alert Logic
Alex Manly • Solution Architect
• Chef
![Page 4: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/4.jpg)
OVERCOMING SECURITY CHALLENGES
![Page 5: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/5.jpg)
Security Remains #1 Pain Point For Cloud Deployments
© 2014 451 Research, LLC. www.451research.com
Cloud Computing Pain Points
Q. What are your top cloud computing-related pain points? Select up to three. n=163. Source: Cloud Computing – Wave 7 |
2%
2%
2%
2%
2%
2.5%
2.5%
3.1%
3%
3%
4%
4%
4%
4%
5%
5%
7%
7%
7%
7.4%
8%
9%
10%
11%
11%
12%
17%
31%
Business Continuity/Disaster Recovery
Interoperability
Lack of Provider Competence
Perception and Internal Resistance
Storage
Data Movement
Governance
Capacity Planning/Management
Legacy Applications
Technology Immaturity
Complexity
Limited Transparency and Management
Service-level Management
Lack of Standards
Network
Service Reliability/Availability
Contractual/Legal Issues
Organizational Challenges
Vendor/Provider Issues
Lack of Internal Process
Management
Internal Resources/Expertise
Migration/Integration
Compliance
Security of Data, Control of Data Locality, Sovereignty
Human Change Management
Pricing/Budget/Cost
Security
Other Pain Points Mentioned
Automated Provisioning
Automation
Billing/Chargeback/Show-back
Ease of Transfer Between Private and Public Cloud
Integration of Private and Public Cloud
Lack of Control
Lack of Flexibility
Licensing
Orchestration
Performance
Platform/Provider Selection
Support
Time to Deployment
Q. What are your top cloud computing-related pain points?
Source: Cloud Computing – Wave 7 | © 2014 451 Research, LLC. www.451research.com
![Page 6: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/6.jpg)
Shared Security Model
![Page 7: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/7.jpg)
Application Security Technology Challenges
Network Changes Host Identity Auto-Scaling
Why do traditional security tools struggle
in the cloud
![Page 8: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/8.jpg)
Security at Odds with DevOps Velocity
Traditional Security/Compliance is Slow • Bolted on at the end
• Manual processes
• Long cycle times
Mature DevOps Velocity is Fast
Security Practice does not Keep Up • Traditional Security Tools are not automated
• Continuous deployment stalls without security automation
![Page 9: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/9.jpg)
InfoSec Ends Up Being Marginalized
“The problem for the security person who is used to turning
around security reviews in a month or two weeks is they're
just being shoved out of the game. There's no way with how
Infosec is currently configured that they can keep up with
that. So, Infosec gets all the complaints about being
marginalized and getting in the way of doing what needs
getting done.”
Gene Kim, former CTO of Tripwire
Author of “The Phoenix Project: A Novel About IT, DevOps” & “Helping Your Business Win”
![Page 10: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/10.jpg)
Alert Logic Survey Findings
Good communications
between Development
and Operations Teams
Poor communication
between DevOps, Security
and Compliance teams
Security Infrastructure
had been poorly
managed or needed
significant improvement
Admitted to not
implementing security
into their continuous
process
![Page 11: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/11.jpg)
High velocity IT
• Web scale IT
• Software is eating the world
• The Rise of Coded business
• Every business is an IT business
• Software defined everything
• Deliver change faster and safer
![Page 12: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/12.jpg)
Infrastructure on demand
• Cheap
• Secure
• Elastically Scalable
• Self Service
![Page 13: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/13.jpg)
DevOps
![Page 14: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/14.jpg)
Configuration Management
![Page 15: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/15.jpg)
Continuous Delivery
![Page 16: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/16.jpg)
Architecture
![Page 17: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/17.jpg)
Compliance Drag
![Page 18: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/18.jpg)
If you think compliance is expensive,
try non-compliance Former US Deputy Attorney General, Paul McNulty
![Page 19: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/19.jpg)
• Many hats **
• Not just Dev, not just Ops.
• Security is not and has never been, it’s just a check box.
• Security as Code - Software defined Security
• Embed security tests into the pipeline.
• Test security early.
DevSecOps – Don’t shoot me its just a word
** Hat tip to Ben Hughes (@benjammingh) from who I stole this slide from
https://speakerdeck.com/barnbarn/handmade-security-at-etsy
![Page 20: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/20.jpg)
The changing role of the compliance officer
![Page 21: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/21.jpg)
2015 Compliance Report - Verizon
![Page 22: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/22.jpg)
VULNERABILITY MANAGEMENT
![Page 23: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/23.jpg)
Vulnerability Management
Vulnerability management is key to maintaining a secure system.
Most IT environments use a mix of patch management and vulnerability scanning.
However
• Scanning is not run frequently enough
• Dealing with large numbers of potential vulnerabilities in one go introduces significant risk to the application stability
![Page 24: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/24.jpg)
Manage Vulnerabilities with Base Images + CI
Manage Vulnerabilities
• Conduct normal vulnerability scanning
• Identify Vulnerabilities that exist in Base Images versus Application specific packages
• Remediate at appropriate level as part of Continuous Delivery process
• Start with Hardened “secure by default” base
Results • Less work, done more reliably • Patching fits naturally into Phoenix Upgrades • Continuous Delivery allow frequent scanning
in test environments to have real value • Fixes potential vulnerabilities systematically
![Page 25: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/25.jpg)
Adopt Phoenix upgrade strategy
Embrace Phoenix Upgrades
• Stand up new instances, don’t upgrade
• Route traffic between old and new instances
• Rich service metrics and automate rollback
• Advanced routing can enable selective rollout
Results
• Creates evergreen systems, avoiding configuration drift and technical debt
• Enforces refresh of all system components as complete artifact, tested as a holistic system
• Greatly reduces security risks when combine with immutable instances and configuration management
![Page 26: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/26.jpg)
Real World Case – Patching Shellshock
![Page 27: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/27.jpg)
SECURING THE PLATFORM
![Page 28: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/28.jpg)
Securing the platform
Aside from ensuring that an application and server is fully patched, it is key to start from a position where a server has been fully locked down.
In the cloud, have the developers take the base OS versions that are made available to them and used them?
You may be in a position where:
• Cannot change permissions on servers without risking breaking the application
• Base OS images used without any specific security implemented
• Different standard across different server types.
![Page 29: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/29.jpg)
Prevent Attacks with Immutable Systems
Build secure base images that are
representative of your infrastructure
system base
Design file system layout to separate
code from data, and lock down to
minimum required permissions.
Should expand to network as well
Leverage SANS Checklist and CIS
Benchmark resources for system
level security best practices and
guidance
Leverage configuration management
tools to standardized all software
versions and configurations
Design Secure
Immutable Infrastructure
![Page 30: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/30.jpg)
• This example will identify any code that tries to mount disk volumes. If code is identified, it will be audited and then workflow can control the action of this deviation to standards.
Example – Static Control Analysis
![Page 31: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/31.jpg)
Example – Infrastructure Testing
Tests Chef
cookbooks using
cloud instances and
virtual machines
Lets you create a
realistic multi-server
test environment
Uses Chef and
supports everything
Chef supports (OSs,
VMs, Languages, etc)
Supports multiple
test runners (Bats,
Minitest, Rspec,
ServerSpec, etc.)
![Page 32: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/32.jpg)
CONTINUOUS MONITORING
![Page 33: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/33.jpg)
Chef Analytics Provides Visibility in Three Ways
• Record changes to
Chef Server or any
Chef Nodes
• Tracks changes
from any sources
(Chef UI, command
line, knife)
• Built-in
messaging
and email
integration
• Trivially
integrates with
your existing
systems
• Simple dashboard
with search, filters
and sorting options
• Integrate with
existing tools via API
![Page 34: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/34.jpg)
Example
![Page 35: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/35.jpg)
• PCI 2.3 - Encrypt all non-console administrative access such as browser/Web-based management tools.
rules ’PCI 2.3 – Confirm telnet port not available'
rule on run_control
when
name = 'should be listening'
resource_type = 'port'
resource_name = '23'
status != 'success'
then
audit:error("PCI 2.3 - Encrypt all non-console administrative access
such as browser/Web-based management tools.")
notify("[email protected]", "A machine is listening
for connections on port 23/telnet!")
end
end
Rule Control
controls 'port compliance' do
control port(23) do
it "has nothing listening"
expect(port(23)).to_not be_listening
end
end
end
Example – PCI Compliance
![Page 36: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/36.jpg)
• SOX Section 302.4.B – Establish verifiable controls to track data access.
rules 'force key based auth'
rule on run_control
when
name = 'is disabled'
resource_type = 'File'
resource_name = '/etc/ssh/sshd_config'
status = 'failed'
then
audit:error("SOX Section 302.4.B – Establish verifiable controls to track
data access.")
notify(‘[email protected]’, "A machine has password login
enabled!")
end
end
Rule Control
controls 'password authentication' do
control file('/etc/ssh/sshd_config') do
it "is disabled"
expect(file('/etc/ssh/sshd_config'))
.to_not
match(/^\s*PasswordAuthentication\s+yes/i)
end
end
end
Example - SOX Compliance
![Page 37: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/37.jpg)
How Cloud Defender Works
A L E R T L O G I C C L O U D D E F E N D E R
Identify
Attacks
& Protect
Customers
Big Data
Analytics
Platform
Threat
Intelligence
& Security
Content
24 x 7
Monitoring
&
Escalation
Alert Logic
ActiveAnalytics Alert Logic
ActiveIntelligence
Alert Logic
ActiveWatch
Cloud, Hybrid
On-Premises
Customer IT
Environment
Web
application
events
Log data
Network
incidents
![Page 38: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/38.jpg)
Alert Logic Cloud Defender
Threat Manager: Network Intrusion Detection
• Detects suspicious activities across your networks
• Uncovers vulnerabilities in your networks, systems, and
applications
Log Manager: Log Management & Analysis
• Protects your networks, systems, and applications through
log analysis
• Collects, aggregates, and normalizes logs for easy searching
and long term storage
Web Security Manager: Web Application Protection
• Built to protect web applications from web specific attacks
• Learning engine adapts to normal behavior, ensuring
application uptime
-Simple Unified Deployment -
![Page 39: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/39.jpg)
Questions and Resources
Resources
All available under the
“Attachments” tab of the webinar:
• DevOps: The Security Gap
• Key findings from Alert Logic’s
recent Dev-”Sec”-Ops Survey
• Chef’s Whitepaper:
Compliance at Velocity
• Alert Logic Blog
• Top 10 tips for Security
Professionals Blog
Questions
• Questions? Submit them to the
presenter at anytime into the
question box
![Page 40: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/40.jpg)
Get Connected
www.alertlogic.com
www.chef.io
@alertlogic
@chef
linkedin.com/company/alert-logic
linkedin.com/company/opscode
alertlogic.com/resources/blog/
chef.io/blog
youtube.com/user/AlertLogicTV
youtube.com/user/getchef
brighttalk.com/channel/11587
brighttalk.com/channel/11349
![Page 41: DevSecOps: Taking a DevOps Approach to Security](https://reader030.vdocuments.us/reader030/viewer/2022032422/55a942b41a28abfd5c8b47c3/html5/thumbnails/41.jpg)
Contact Us
James Brown
Director of Cloud Computing & Security Architecture
Alert Logic
Alex Manly
Solution Architect
Chef
Thank you!