does devsecops really exist?

Download Does DevSecOps really exist?

Post on 09-Jan-2017

38 views

Category:

Software

0 download

Embed Size (px)

TRANSCRIPT

  • DoesDevSecOps ReallyExistAlexManly

  • WhoamI?

    AlexManlyPrincipalDevOpsConsultantContino (UK)@apmanlyalex.manly@contino.io

  • ComplianceReport- Verizon

    Outof10000companiesthatweresurveyed1in5werenon-complianttoregulation

    Challenge abilitykeepupwithamovingtarget.Requirementschangebyanaverageof18%overayear.

    Non-compliantbreachedcompanies:45%- patchmanagementanddevelopmentsecurity72%- logmanagementandmonitoring73%- firewallconfiguration

    Challenge- abilitytocontinuouslymonitortheirenvironmentsforchanges

  • 2014 451 Research, LLC. www.451research.com

    Cloud Computing Pain Points

    Q. What are your top cloud computing-related pain points? Select up to three. n=163. Source: Cloud Computing Wave 7 |

    2% 2% 2% 2% 2%

    2.5% 2.5%

    3.1% 3% 3%

    4% 4% 4%

    4% 5% 5%

    7% 7% 7%

    7.4% 8%

    9% 10%

    11% 11%

    12% 17%

    31%

    Business Continuity/Disaster RecoveryInteroperability

    Lack of Provider CompetencePerception and Internal Resistance

    StorageData Movement

    GovernanceCapacity Planning/Management

    Legacy ApplicationsTechnology Immaturity

    ComplexityLimited Transparency and Management

    Service-level ManagementLack of Standards

    NetworkService Reliability/Availability

    Contractual/Legal IssuesOrganizational Challenges

    Vendor/Provider IssuesLack of Internal Process

    ManagementInternal Resources/Expertise

    Migration/IntegrationCompliance

    Security of Data, Control of Data Locality, SovereigntyHuman Change Management

    Pricing/Budget/CostSecurity

    Other Pain Points Mentioned Automated Provisioning

    Automation Billing/Chargeback/Show-back

    Ease of Transfer Between Private and Public Cloud

    Integration of Private and Public Cloud Lack of Control

    Lack of Flexibility Licensing

    Orchestration Performance

    Platform/Provider Selection Support

    Time to Deployment

    Q. What are your top cloud computing-related pain points?Source: Cloud Computing . www.451research.com

    CloudPainPoints

  • SharedSecurityModel

  • ComplianceDrag

    Emergingtechnologieschangingallthetime

    Lackofresources

    Accesstodataandsystems

    Scaleoftheproblem

    Movingtarget Regulationfrequentlychanges

    Reactiveratherthanproactive

    Dragonvelocity

  • Theproblemforthesecuritypersonwhoisusedtoturningaroundsecurityreviewsinamonthortwoweeksisthey'rejustbeingshovedoutofthegame.There'snowaywithhowInfosec iscurrentlyconfiguredthattheycankeepupwiththat.So,Infosecgetsallthecomplaintsaboutbeingmarginalizedandgettinginthewayofdoingwhatneedsgettingdone.

    GeneKim,formerCTOofTripwireAuthorofThePhoenixProject:ANovelAbout IT,DevOps&HelpingYourBusinessWin

    InfoSecEndsUpBeingMarginalised

  • If you think compliance is expensive,

    try non-complianceFormer US Deputy Attorney General, Paul McNulty

  • HighVelocityIT

  • InfrastructureonDemand

  • DevOps

    DevOps isaprimarymovementinthegrowingtrendto industrialize

    ITservicedevelopmentandproduction.

    IDCexpectsDevOps strategieswillincreasinglydominateenterpriseand

    serviceproviderstrategies.

    By2016,DevOpswillbeemployedby25%ofGlobal2000organizations.

    DevOps technologieswillachieverevenueof$4Bby2018.

  • ConfigurationManagement

    AutomateatScale

    DesiredStateConfiguration

    InfrastructureasCode

    Efficient&Repeatable

    CattlenotPets

  • AutomationandConvergentInfrastructure

    MarkBurgess,creatorofCFEngineAuthorofInSearchofCertainty

    Asystemsdesiredconfigurationstatecanbesaidtobedefinedbyfixedpoints.Mostconfigurationmanagementsystems(e.g.:CFEngine,Chef,Puppet,PowerShellDCS)arebasedonthisidea:theyprovidemeanstodeclarewhatmusthappeninsteadofrequiringimperativeworkflowsthatprescribewhatwedo.

  • DrivingTowardsImmutableInfrastructures

    ThisiswhatIcalldisposablecomputing.Throwawayabrokenprocessratherthantrytofixit.Machinescanbemade

    expendableaslongasthetotalsoftwareisdesignedforit.Notmuchofitistoday,butweregettingthere.Natureshowsthat

    thisisagoodwayofscalingservices.

    MarkBurgess,creatorofCFEngineAuthorofInSearchofCertainty

  • Programmaticallyprovisionandconfigurecomponents

    Treatitlikeanyothercodebase

    Reconstructbusinessfromcoderepository,databackup,andcomputeresources

    InfrastructureasCode

  • Security&ComplianceImplications

  • Automateallthethings

  • Architecture

    Conways Law ItstheLaw

    MonolithsSOAMicroservices

    Designfor

    Deployability

    Testability

    Operationability

    Changability Evolveyourarchitecture

    Cloud

  • SecurityasCode- SoftwaredefinedSecurity

    Embedsecuritytestsintothepipeline

    Testsecurityearly

    DevSecOps

  • ShiftSecurityLeft

  • ContinuousSecurity

    SecurityPosture

    End-to-endVisibility

    ContinuousDetection/Prevention

    AutomatedConfigurationandScaling

    Remediation&Fast

    Resolution

    DisasterRecoveryand

    BusinessContinuity

    Audit&Compliance

  • Buildsecurebaseimages thatarerepresentativeofyourinfrastructuresystembase

    Designfilesystemlayouttoseparatecodefromdata,and

    lockdowntominimumrequiredpermissions.Shouldexpandto

    networkaswell

    LeverageSANSChecklistandCISBenchmarkresourcesforsystemlevelsecuritybestpracticesandguidance

    Leverageconfigurationmanagementtoolsto

    standardizedall softwareversionsandconfigurations

    DesignSecureImmutableInfrastructure

    PreventAttackswithImmutable

  • ManageVulnerabilitieswithBaseImages

    Manage Vulnerabilities Conduct normal vulnerability scanning Identify Vulnerabilities that exist in Base Images

    versus Application specific packages Remediate at appropriate level as part of Continuous

    Delivery process Start with Hardened secure by default base

    Results Less work, done more reliably Patching fits naturally into Phoenix Upgrades Continuous Delivery allow frequent scanning in test

    environments to have real value Fixes potential vulnerabilities systematically

  • Embrace Phoenix Upgrades Stand up new instances, dont upgrade Route traffic between old and new instances Rich service metrics and automate rollback Advanced routing can enable selective rollout

    Results Creates evergreen systems, avoiding configuration drift and technical debt

    Enforces refresh of all system components as complete artifact, tested as a holistic system

    Greatly reduces security risks when combine with immutable instances and configuration management

    AdoptPhoenixUpgradeStrategy

  • Thisexamplewillidentifyanycodethattriestomountdiskvolumes.Ifcodeisidentified,itwillbeauditedandthenworkflowcancontroltheactionofthisdeviationtostandards.

    Example- StaticCodeAnalysis

  • Example PCICompliance

    PCI2.3 - Encryptallnon-consoleadministrativeaccesssuchasbrowser/Web-basedmanagementtools.

    rules PCI 2.3 Confirm telnet port not available'rule on run_controlwhen

    name = 'should be listening'resource_type = 'port'resource_name = '23'status != 'success'

    thenaudit:error("PCI 2.3 - Encrypt all non-console

    administrative access such as browser/Web-based management tools.")

    notify("security-team@financialcorp.com", "A machine is listening for connections on port 23/telnet!")

    endend

    RuleControlcontrols 'port compliance' do

    control port(23) doit "has nothing listening"expect(port(23)).to_not

    be_listeningend

    endend

  • Example SOXCompliance

    SOXSection302.4.B Establishverifiablecontrolstotrackdataaccess.

    rules 'force key based auth'rule on run_controlwhen

    name = 'is disabled'resource_type = 'File'resource_name = '/etc/ssh/sshd_config'status = 'failed'

    thenaudit:error("SOX Section 302.4.B Establish

    verifiable controls to track data access.")notify(security-team@financialcorp.com, "A

    machine has password login enabled!")end

    end

    RuleControlcontrols 'password authentication' do

    control file('/etc/ssh/sshd_config') doit "is disabled

    expect(file('/etc/ssh/sshd_config')).to_notmatch(/^\s*PasswordAuthentication\s+yes/i)

    endend

    end

  • WeCanHelp

  • Wehelpourclientsadoptamoderncomposable stackoftechnologies

    Microservices

    ConfigurationManagement&InfrastructureAutomation

    ContainerTechnology

    CloudInfrastructureWeareDocker PremierPartners

  • Contino helpstotransformthesoftwaredevelopmentfactoryOrganisations havetomodernise theirwaysofworking, theirinfrastructureandtheirapplicationsdeliverypipelines topreventindustrydisruption andmovetoafasterandleanerITmodel.

    OLDWORLDARCHITECTURE:Complexinterconnectedlegacysystems

    DELIVERYMODEL:Big,risky,infrequent,heavyweightsoftwarereleases

    ORGANISATIONALSTRUCTURE:Siloed organisationalstructures

    INFRASTRUCTURE:TraditionalphysicalorvirtualisedinfrastructureprovisionedbyIToperations

    PRIORITIES:Efficient,predictable,risk-averseITengine

    NEWWORLD:ARCHITECTURE:Looselycoupledmicroservicearchitectures

    DELIVERYMODEL:Continualstreamofchangethroughcontinuous delivery

    ORGANISATIONAL STRUCTURE:Crossfunctionalempoweredteams

    INFRASTRUCTURE:Cloudbasedinfrastructureprovisionedbydevelopmentteams

    PRIORITIES:Fast,agileandinnovativeITengine

  • OneOfUKsTop3LargestRetailBanksAdoptingDockerContainerTechnologyRationalising developmenttoolchainIntroducingMoreAutomationIntoDeliveryPipelineAdvisingOnStrategyForGlobalTransformation

    OneOfUKsTop3LargestRetailersImplementingPublicCloud

    ConfigurationM