Does DevSecOps really exist?

Download Does DevSecOps really exist?

Post on 09-Jan-2017

38 views

Category:

Software

0 download

Embed Size (px)

TRANSCRIPT

<ul><li><p>DoesDevSecOps ReallyExistAlexManly</p></li><li><p>WhoamI?</p><p>AlexManlyPrincipalDevOpsConsultantContino (UK)@apmanlyalex.manly@contino.io</p></li><li><p>ComplianceReport- Verizon</p><p>Outof10000companiesthatweresurveyed1in5werenon-complianttoregulation</p><p>Challenge abilitykeepupwithamovingtarget.Requirementschangebyanaverageof18%overayear.</p><p>Non-compliantbreachedcompanies:45%- patchmanagementanddevelopmentsecurity72%- logmanagementandmonitoring73%- firewallconfiguration</p><p>Challenge- abilitytocontinuouslymonitortheirenvironmentsforchanges</p></li><li><p> 2014 451 Research, LLC. www.451research.com </p><p>Cloud Computing Pain Points </p><p>Q. What are your top cloud computing-related pain points? Select up to three. n=163. Source: Cloud Computing Wave 7 | </p><p>2% 2% 2% 2% 2% </p><p>2.5% 2.5% </p><p>3.1% 3% 3% </p><p>4% 4% 4% </p><p>4% 5% 5% </p><p>7% 7% 7% </p><p>7.4% 8% </p><p>9% 10% </p><p>11% 11% </p><p>12% 17% </p><p>31% </p><p>Business Continuity/Disaster RecoveryInteroperability</p><p>Lack of Provider CompetencePerception and Internal Resistance</p><p>StorageData Movement</p><p>GovernanceCapacity Planning/Management</p><p>Legacy ApplicationsTechnology Immaturity</p><p>ComplexityLimited Transparency and Management</p><p>Service-level ManagementLack of Standards</p><p>NetworkService Reliability/Availability</p><p>Contractual/Legal IssuesOrganizational Challenges</p><p>Vendor/Provider IssuesLack of Internal Process</p><p>ManagementInternal Resources/Expertise</p><p>Migration/IntegrationCompliance</p><p>Security of Data, Control of Data Locality, SovereigntyHuman Change Management</p><p>Pricing/Budget/CostSecurity</p><p>Other Pain Points Mentioned Automated Provisioning </p><p>Automation Billing/Chargeback/Show-back </p><p>Ease of Transfer Between Private and Public Cloud </p><p>Integration of Private and Public Cloud Lack of Control </p><p>Lack of Flexibility Licensing </p><p>Orchestration Performance </p><p>Platform/Provider Selection Support </p><p>Time to Deployment </p><p>Q. What are your top cloud computing-related pain points?Source: Cloud Computing . www.451research.com</p><p>CloudPainPoints</p></li><li><p>SharedSecurityModel</p></li><li><p>ComplianceDrag</p><p>Emergingtechnologieschangingallthetime</p><p>Lackofresources</p><p>Accesstodataandsystems</p><p>Scaleoftheproblem</p><p>Movingtarget Regulationfrequentlychanges</p><p>Reactiveratherthanproactive</p><p>Dragonvelocity</p></li><li><p>Theproblemforthesecuritypersonwhoisusedtoturningaroundsecurityreviewsinamonthortwoweeksisthey'rejustbeingshovedoutofthegame.There'snowaywithhowInfosec iscurrentlyconfiguredthattheycankeepupwiththat.So,Infosecgetsallthecomplaintsaboutbeingmarginalizedandgettinginthewayofdoingwhatneedsgettingdone.</p><p>GeneKim,formerCTOofTripwireAuthorofThePhoenixProject:ANovelAbout IT,DevOps&amp;HelpingYourBusinessWin</p><p>InfoSecEndsUpBeingMarginalised</p></li><li><p>If you think compliance is expensive, </p><p>try non-complianceFormer US Deputy Attorney General, Paul McNulty</p></li><li><p>HighVelocityIT</p></li><li><p>InfrastructureonDemand</p></li><li><p>DevOps</p><p>DevOps isaprimarymovementinthegrowingtrendto industrialize</p><p>ITservicedevelopmentandproduction.</p><p>IDCexpectsDevOps strategieswillincreasinglydominateenterpriseand</p><p>serviceproviderstrategies.</p><p>By2016,DevOpswillbeemployedby25%ofGlobal2000organizations.</p><p>DevOps technologieswillachieverevenueof$4Bby2018.</p></li><li><p>ConfigurationManagement</p><p>AutomateatScale</p><p>DesiredStateConfiguration</p><p>InfrastructureasCode</p><p>Efficient&amp;Repeatable</p><p>CattlenotPets</p></li><li><p>AutomationandConvergentInfrastructure</p><p>MarkBurgess,creatorofCFEngineAuthorofInSearchofCertainty</p><p>Asystemsdesiredconfigurationstatecanbesaidtobedefinedbyfixedpoints.Mostconfigurationmanagementsystems(e.g.:CFEngine,Chef,Puppet,PowerShellDCS)arebasedonthisidea:theyprovidemeanstodeclarewhatmusthappeninsteadofrequiringimperativeworkflowsthatprescribewhatwedo.</p></li><li><p>DrivingTowardsImmutableInfrastructures</p><p>ThisiswhatIcalldisposablecomputing.Throwawayabrokenprocessratherthantrytofixit.Machinescanbemade</p><p>expendableaslongasthetotalsoftwareisdesignedforit.Notmuchofitistoday,butweregettingthere.Natureshowsthat</p><p>thisisagoodwayofscalingservices.</p><p>MarkBurgess,creatorofCFEngineAuthorofInSearchofCertainty</p></li><li><p>Programmaticallyprovisionandconfigurecomponents</p><p>Treatitlikeanyothercodebase</p><p>Reconstructbusinessfromcoderepository,databackup,andcomputeresources</p><p>InfrastructureasCode</p></li><li><p>Security&amp;ComplianceImplications</p></li><li><p>Automateallthethings</p></li><li><p>Architecture</p><p>Conways Law ItstheLaw</p><p>MonolithsSOAMicroservices</p><p>Designfor</p><p>Deployability</p><p>Testability</p><p>Operationability</p><p>Changability Evolveyourarchitecture</p><p>Cloud</p></li><li><p> SecurityasCode- SoftwaredefinedSecurity</p><p> Embedsecuritytestsintothepipeline</p><p> Testsecurityearly</p><p>DevSecOps</p></li><li><p>ShiftSecurityLeft</p></li><li><p>ContinuousSecurity</p><p>SecurityPosture</p><p>End-to-endVisibility</p><p>ContinuousDetection/Prevention</p><p>AutomatedConfigurationandScaling</p><p>Remediation&amp;Fast</p><p>Resolution</p><p>DisasterRecoveryand</p><p>BusinessContinuity</p><p>Audit&amp;Compliance</p></li><li><p>Buildsecurebaseimages thatarerepresentativeofyourinfrastructuresystembase</p><p>Designfilesystemlayouttoseparatecodefromdata,and</p><p>lockdowntominimumrequiredpermissions.Shouldexpandto</p><p>networkaswell</p><p>LeverageSANSChecklistandCISBenchmarkresourcesforsystemlevelsecuritybestpracticesandguidance</p><p>Leverageconfigurationmanagementtoolsto</p><p>standardizedall softwareversionsandconfigurations</p><p>DesignSecureImmutableInfrastructure</p><p>PreventAttackswithImmutable</p></li><li><p>ManageVulnerabilitieswithBaseImages</p><p>Manage Vulnerabilities Conduct normal vulnerability scanning Identify Vulnerabilities that exist in Base Images </p><p>versus Application specific packages Remediate at appropriate level as part of Continuous </p><p>Delivery process Start with Hardened secure by default base</p><p>Results Less work, done more reliably Patching fits naturally into Phoenix Upgrades Continuous Delivery allow frequent scanning in test </p><p>environments to have real value Fixes potential vulnerabilities systematically</p></li><li><p>Embrace Phoenix Upgrades Stand up new instances, dont upgrade Route traffic between old and new instances Rich service metrics and automate rollback Advanced routing can enable selective rollout</p><p>Results Creates evergreen systems, avoiding configuration drift and technical debt</p><p> Enforces refresh of all system components as complete artifact, tested as a holistic system </p><p> Greatly reduces security risks when combine with immutable instances and configuration management</p><p>AdoptPhoenixUpgradeStrategy</p></li><li><p>Thisexamplewillidentifyanycodethattriestomountdiskvolumes.Ifcodeisidentified,itwillbeauditedandthenworkflowcancontroltheactionofthisdeviationtostandards.</p><p>Example- StaticCodeAnalysis</p></li><li><p>Example PCICompliance</p><p>PCI2.3 - Encryptallnon-consoleadministrativeaccesssuchasbrowser/Web-basedmanagementtools.</p><p>rules PCI 2.3 Confirm telnet port not available'rule on run_controlwhen</p><p>name = 'should be listening'resource_type = 'port'resource_name = '23'status != 'success'</p><p>thenaudit:error("PCI 2.3 - Encrypt all non-console </p><p>administrative access such as browser/Web-based management tools.")</p><p>notify("security-team@financialcorp.com", "A machine is listening for connections on port 23/telnet!")</p><p>endend</p><p>RuleControlcontrols 'port compliance' do</p><p>control port(23) doit "has nothing listening"expect(port(23)).to_not </p><p>be_listeningend</p><p>endend</p></li><li><p>Example SOXCompliance</p><p>SOXSection302.4.B Establishverifiablecontrolstotrackdataaccess.</p><p>rules 'force key based auth'rule on run_controlwhen</p><p>name = 'is disabled'resource_type = 'File'resource_name = '/etc/ssh/sshd_config'status = 'failed'</p><p>thenaudit:error("SOX Section 302.4.B Establish </p><p>verifiable controls to track data access.")notify(security-team@financialcorp.com, "A </p><p>machine has password login enabled!")end</p><p>end</p><p>RuleControlcontrols 'password authentication' do</p><p>control file('/etc/ssh/sshd_config') doit "is disabled</p><p>expect(file('/etc/ssh/sshd_config')).to_notmatch(/^\s*PasswordAuthentication\s+yes/i)</p><p>endend</p><p>end</p></li><li><p>WeCanHelp</p></li><li><p>Wehelpourclientsadoptamoderncomposable stackoftechnologies</p><p>Microservices</p><p>ConfigurationManagement&amp;InfrastructureAutomation</p><p>ContainerTechnology</p><p>CloudInfrastructureWeareDocker PremierPartners</p></li><li><p>Contino helpstotransformthesoftwaredevelopmentfactoryOrganisations havetomodernise theirwaysofworking, theirinfrastructureandtheirapplicationsdeliverypipelines topreventindustrydisruption andmovetoafasterandleanerITmodel.</p><p>OLDWORLDARCHITECTURE:Complexinterconnectedlegacysystems</p><p>DELIVERYMODEL:Big,risky,infrequent,heavyweightsoftwarereleases</p><p>ORGANISATIONALSTRUCTURE:Siloed organisationalstructures</p><p>INFRASTRUCTURE:TraditionalphysicalorvirtualisedinfrastructureprovisionedbyIToperations</p><p>PRIORITIES:Efficient,predictable,risk-averseITengine</p><p>NEWWORLD:ARCHITECTURE:Looselycoupledmicroservicearchitectures</p><p>DELIVERYMODEL:Continualstreamofchangethroughcontinuous delivery</p><p>ORGANISATIONAL STRUCTURE:Crossfunctionalempoweredteams</p><p>INFRASTRUCTURE:Cloudbasedinfrastructureprovisionedbydevelopmentteams</p><p>PRIORITIES:Fast,agileandinnovativeITengine</p></li><li><p>OneOfUKsTop3LargestRetailBanksAdoptingDockerContainerTechnologyRationalising developmenttoolchainIntroducingMoreAutomationIntoDeliveryPipelineAdvisingOnStrategyForGlobalTransformation</p><p>OneOfUKsTop3LargestRetailersImplementingPublicCloud</p><p>ConfigurationManagingOnDemandEnvironments</p><p>InfrastructureAsCodeDefinition</p><p>Upskilling&amp;TrainingGlobalEngineeringWorkforce</p><p>OneOfUKsTop3LargestTelecomsProvidersIntegratingCloudBrokerAcrossPrivateandPublicCloud</p><p>ConfigurationManagingOnDemandEnvironments</p><p>ImprovingContinuous DeliveryPipelineandImprovingRigour OfSoftwareDevelopmentLifecycle</p><p>Organisations acrossindustriesneedtotransformtheirsoftwaredeliveryengines. Weareworkingwithmanyofthelargestenterprisebrandsacrossverticals.</p><p>Contino helptotransformthesoftwaredevelopmentfactory</p></li><li><p>Howwedrivetransformationandculturalchange</p><p>Culturalchangeemergesfrommanysmallsteps.Wehelp todeliveronkeywaysofworkingandtechnologymodernisation initiatives.....</p><p>Whilstalsohelping tocreateathrivingandmorevibranttechnology cultureaskeydeliverable.</p><p>Process</p><p>KeyITProcesses</p><p>KPIs</p><p>Agile&amp;Lean</p><p>People</p><p>Organisational Design</p><p>Skills</p><p>Incentives</p><p>Technology</p><p>Infrastructure</p><p>Architecture</p><p>ApplicationDelivery</p></li><li><p>Whoweworkwith</p></li><li><p>Thanks!</p><p>www.contino.io</p><p>alex.manly@contino.io</p></li></ul>