November15,2016
MultiSecurity CheckpointsonDevOpsplatform
Hasan Yasar, Technical ManagerSecure Lifecycle Solutions, Software Engineering Institute, Carnegie Mellon University
November15,2016
Copyright2016CarnegieMellonUniversity
ThismaterialisbaseduponworkfundedandsupportedbytheDepartmentofDefenseunderContractNo.FA8721-05-C-0003withCarnegieMellonUniversityfortheoperationoftheSoftwareEngineeringInstitute,afederallyfundedresearchanddevelopmentcenter.
Anyopinions,findingsandconclusionsorrecommendationsexpressedinthismaterialarethoseoftheauthor(s)anddonotnecessarilyreflecttheviewsoftheUnitedStatesDepartmentofDefense.
NOWARRANTY.THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIALISFURNISHEDONAN“AS-IS”BASIS.CARNEGIEMELLONUNIVERSITYMAKESNOWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTERINCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEORMERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL.CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITHRESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENT.
[DistributionStatementA]Thismaterialhasbeenapprovedforpublicreleaseandunlimiteddistribution.PleaseseeCopyrightnoticefornon-USGovernmentuseanddistribution.
Thismaterialmaybereproducedinitsentirety,withoutmodification,andfreelydistributedinwrittenorelectronicformwithoutrequestingformalpermission.Permissionisrequiredforanyotheruse.RequestsforpermissionshouldbedirectedtotheSoftwareEngineeringInstituteatpermission@sei.cmu.edu.
CarnegieMellon® and CERT® areregisteredmarksofCarnegieMellonUniversity.
DM-0004210
November15,2016
MultiSecurity Checkpoints
Fundamentals- Process
November15,2016
WhatWikipediasays…
• DevOps (a portmanteau of "development" and "operations”)emphasizes communication, collaboration, and integrationbetween software developers and information technology(IT) operations personnel. [1]
[1]http://en.wikipedia.org/wiki/DevOps
November15,2016
Jez Humble,https://youtu.be/L1w2_AY82WYDaveWest,http://sdtimes.com/analyst-watch-water-scrum-fall-is-the-reality-of-agile/
Business
Research
Budget
Document
WaterDevelopment
Scrum
Integrate
Test
Release
QAOperations
Fall- -
November15,2016
DevOps isanExtensionofAgileThinking
• Embrace constantchange
• EmbedCustomer inteamtointernalizeexpertiseonrequirementsanddomain
Agile
Embraceconstanttesting,delivery
EmbedOperations inteamtointernalizeexpertiseondeploymentandmaintenance
DevOps
November15,2016
SharedGoals CollaborationBusinessNeeds
DevOps
November15,2016
Multiple DimensionsofDevOpsCulture• Developer and Ops collaborate
(Ops includes security)• Developers and Operations
support releases beyond deployment
• Dev and Ops have access to stakeholders who understand business and mission goals
Culture
ProcessandPractices
SystemandArchitecture
Automationand
MeasurementAutomation/Measurement• Automaterepetitiveanderror-
pronetasks(e.g.,build,testing,anddeploymentmaintainconsistentenvironments)
• Staticanalysisautomation(architecturehealth)
• Performancedashboards
Process and Practices• Pipeline streamlining• Continuous-delivery practices
(e.g., continuous integration; test automation; script-driven, automated deployment; virtualized, self-service environments)
System and Architecture• Architected to support test
automation and continuous-integration goals
• Applications that support changes without release (e.g., late binding)
• Scalable, secure, reliable, etc.
November15,2016
MultiSecurity Checkpoints
DevOpsPlatform- Platform
November15,2016
ContinuousIntegration(CI)Model
November15,2016
Integrationandcommunication,evenamongtools,isthekey!
November15,2016
November15,2016
Humanactions/inputstothesoftwaredevelopmentprocess
November15,2016
Actionsperformedbyautonomoussystems
November15,2016
MultiSecurity Checkpoints
TeamIntegration- People
November15,2016
DevOpsandSecurity
November15,2016
DevOpsandSecurity
November15,2016
Rugged{Secure}Dev{Sec}Ops
• DevOpsisaRiskMitigationstrategy,builtonSituationalAwareness,Automation,and Repetition• ButsecurityiswherealotofDevOpsimplementationsfalldown
• Goal:– Protectingprivateuserdata– Restrictingaccesstodata/systems– Protectingcompanydata/IP– Standardscompliance– Safeguardingdisposition/transition
November15,2016
TeamComposition
Developers
• Features• Quality
Attributes• Efficiency• Performance• Users• Authentication• Authorization
ITOps
• Deployment• Maintenance• Updates• Changepolicy• Failure• Dataloss• Risk
prevention
QA
• Testable• Issue
tracking• Bug
Reports• Usability• HelpDesk
SecurityTeam
• DataPrivacy• Intrusion
detection• Threatvectors• CVEs• Package
security• Authentication• Authorization• Security
StandardsCompliance
November15,2016
DevOps:MultipleTeamIntegrations
November15,2016
DevOps:MultipleTeamIntegrations+WithSecurityTeam
November15,2016
DevOps:MultipleTeamIntegrations+WithSecurityTeam
November15,2016
MultiSecurity Checkpoints
PlatformSecurityinDevOps
November15,2016
Evolutionofsoftwaredevelopment
• Customdevelopment– context:• Softwarewaslimited
§ Size§ Function§ Audience
• Eachorganizationemployeddevelopers• Eachorganizationcreatedtheirown
software
• Shareddevelopment– ISVs(COTS)–context:
• Functionlargelyunderstood§ Automatingexistingprocesses
• Grownbeyondabilityforusingorganizationtodevelopeconomically
• Outsideofcorecompetitivenessbyacquirers
Supplychain:practicallynone Supplychain:softwaresupplier
Olddays… Inthesedays…
November15,2016
Developmentisnowassembly
GeneralLedger
SQLServer WebSphere
HTTPserver
XMLParser
OracleDB SIPservletcontainer
GIFlibrary
Like“PlugNPlay”
Note:hypotheticalapplicationcomposition
Collectivedevelopment– context:• Toolargeforsingle
organization• Toomuchspecialization• Toolittlevalueinindividual
components
Supplychain:long
November15,2016
Softwaresupplychainforassembledsoftware
• Complexityofacquisition,developmentanddeployment
• Visibility&awareness
Source:“ScopeofSupplierExpansionandForeignInvolvement”graphicinDACSwww.softwaretechnews.com SecureSoftwareEngineering,July2005article“SoftwareDevelopmentSecurity:ARiskManagementPerspective”synopsisofMay 2004GAO-04-678report“DefenseAcquisition:KnowledgeofSoftwareSuppliersNeededtoManageRisks”
November15,2016
Reducingsoftwaresupplychainriskfactors
Softwaresupplychainriskforaproductneedstobereducedtoacceptablelevel
Supplierfollowspracticesthatreducesupplychainrisks
Deliveredorupdatedproductisacceptablysecure
Product
Distribution
Operational Product Control
Productisusedinasecuremanner
Methodsoftransmittingtheproducttothepurchaserguardagaintampering
ProductSecurity
Supplier Capability
November15,2016
SupplyChainHygiene:Recommendations• Suppliersecuritycommitmentevidence
• Supplieremployeesareeducatedastosecurityengineeringpractices• Supplierfollowssuitablesecuritydesignpractices
• Evaluateaproduct’sthreatresistance• Whatproductcharacteristicsminimizeopportunitiestoenterandchangethe
product’ssecuritycharacteristics?
• Createacentralizedprivaterepositoriesofvetted3rd partycomponentsforalldevelopers
• Establishgoodproductdistributionpractices• Recognizethatsupplychainrisksareaccumulated• Monitorfornewvulnerabilitiesandknowwheretheyareintheenterprisetofix
• Minimizevariationofcomponentstomakethingseasier(multipleversions,duplicatedutility)
November15,2016
• Development,operations, teamsengineerinfrastructureandapplication
• Operationsmaintainscontinuousdeliveryprocess• Developerswriteandpushcode
• Continuousintegrationserverinternallydeployscode• Docker run/VMprovision• Build• Test
• QAteamevaluatestheapplicationforcorrectness• Continuousdeliveryprocessdeployscodetoproductionservers• Operationsmaintainsproductionservers
PlatformSecurityOverview
November15,2016
PlatformSecurityOverviewwithSecurityHighlights
• Development,operations,andsecurityteamsengineerinfrastructureandapplication
• Operationsmaintainscontinuousdeliveryprocess• Developerswriteandpushcode• Codepushtriggerssecurityanalysisviasecuritycontroller• Continuousintegrationserverinternallydeployscode
• Docker run/VMprovision• Build• Test• Automatedsecurityscan
• QAteamevaluatestheapplicationforcorrectness• Continuousdeliveryprocessdeployscodetoproductionservers• Operationsmaintainsproductionservers
November15,2016
MultiSecurity CheckpointsAppSec andDevOps- IntegratingSecuritypracticesintoDevOps
November15,2016
DevLifecycle
November15,2016
Dev+BusinesLifecycle
November15,2016
DevOpsLifecycle
November15,2016
Whereareopportunitiesforsecurityprocesses?
November15,2016
DevOpsLifecycle
ThreatModeling,Securityasaqualityattribute
November15,2016
DevOpsLifecycle
Secure/hardenedenvironments
November15,2016
DevOpsLifecycle
Security-focusedcodereview
November15,2016
DevOpsLifecycle
AutomatedSecurityTesting(Staticanalysis,etc)
November15,2016
DevOpsLifecycle
MoreSecurityTesting(PenTesting,FuzzTesting)
November15,2016
DevOpsLifecycle
Securityreview/acceptancetesting
November15,2016
SecureDevOpsLifecycle
November15,2016
Securitymustbeaddressedwithoutbreakingtherapiddelivery,continuous
feedbackmodel
November15,2016
SecureDevOpsLifecycle
Devs
November15,2016
SecureDevOpsLifecycle
Devs
ConstantFeedbacktoDev
November15,2016
Automation(CI/CD)andSecurity§ Noteverythingcanbe,needstobe,orshouldbe,automated§ Drawperimetersaroundthingsyoutrustandletthatguidewhere
humaninteractionandverificationisneeded
§ Keeptrackofsecurityassessments
§ Regimentedcodemanagement§ Knowwhatsourcecodecontributedtoabuildthat’sin
productionsopatchesarefastandconfident
§ Performmanualreviewsasleastaspossible(NOTtoblockCD)§ staticanalysis§ (peer)Codereview§ Penntesting(oranysecuritytestingtools)
November15,2016
Post-ProductionMonitoringwithSecurityMindset
• MonitorauditlogsproducedbyCI/CDforanomalies
• Monitorproductionapplicationstoassurenothingchangesoutsideofthenormalchangeprocess
• Monitorfornewvulnerabilities/threats(acatalogofrunningcomponentshelps!)
November15,2016
MultiSecurity CheckpointsPracticalSecurityintegrationScenariosCI/CD
November15,2016
SecureDevOpsLifecycle
• Pausingformanualstepsistypical
• Optimizethemanualwork!
• Persisttheoutputofanytools/work
November15,2016
Scenario -1
November15,2016
Scenario -1
November15,2016
Scenario -2
November15,2016
Scenario -2
November15,2016
Scenario -3
November15,2016
MultiSecurity Checkpoints
Demo
AllvideosareinSEIYouTubechannelhttps://www.youtube.com/user/TheSEICMU/featuredOrinSecureDevOpssectionhttps://www.youtube.com/playlist?list=PLSNlEg26NNpx3fYrfZokWuye9RVMCnCsc
November15,2016
Section (optional)Picture
(optional)
MoreonSEIDevOpsBloghttps://insights.sei.cmu.edu/devops
November15,2016
ContactInformation
HasanYasarTechnicalManager,[email protected]@securelifecycle
WebResources(CERT/SEI)
http://www.cert.org/
http://www.sei.cmu.edu/
November15,2016
November15,2016